What HTTP status code is more appropriate to return from a REST API PUT/PATCH method when a resource is in a state where it can't be updated?

Supposing you have a resource in a "finalized" state and updating it (fully or partially) is not allowed by anyone, what would be the correct HTTP status code to return in case someone tries to update it? 400, 403, 409 or something else?

1 answer

  • answered 2019-11-08 15:57 VoiceOfUnreason

    405 Method Not Allowed is an interesting possibility

    The 405 (Method Not Allowed) status code indicates that the method received in the request-line is known by the origin server but not supported by the target resource. The origin server MUST generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.

    "Currently supported methods" implies that the set of allowed methods for a resource can evolve over time. So I would argue this code is satisfactory for resources that are in a state where PUT/PATCH are not supported.

    403 Forbidden is also a satisfactory option.

    The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it.