Handling a "400 Bad Request"

DinoTheDinosaur · November 16, 2014, 7:26pm

In my notes I have a URL which creates a “400 Bad Request” error and displays the following…

Bad Request
Your browser sent a request that this server could not understand.

1.) What exactly does that error mean?

2.) Should I have specific error-handling in my code to account for this?

3.) Any security holes I need to worry about?

Mittineague · November 16, 2014, 8:49pm

IMHO the easiest and best way is to deal with these types of errors is to add a line to your htaccess file. eg.

# BAD REQUEST
ErrorDocument 400 /custom-error-page.php

or you could send them to “home” or “search” or “sitemap” etc.

If you wanted to get fancy you can pass a $_GET variable to the page.

DinoTheDinosaur · November 17, 2014, 12:08am

What exactly is a 400 error?

How common is it?

In my notes, I saw that I had created one last summer, but that seemed to be by pure accident because I added a ‘%’ at the end of some URL. (Not something a user would normally do.)

I am wondering if this is obscure enough that I just don’t worry about it?

As mentioned above, the error displayed in my browser seemed good enough, but I just wasn’t sure if this was something like a 404 error where you definitely need a page to handle it or not.

Mittineague · November 17, 2014, 12:27am

“Bad Request” means a “bad http request”

If I understand correctly, I guess the most common would be when someone typoed a wrong URL eg. if you had
http://domain.com/widgetspercent.php
but they tried going to
http://domain.com/widgets%.php
they might get a 400 response

DinoTheDinosaur · November 17, 2014, 12:44am

See, I would think they would get a 404 error instead.

I guess 400 and 404 are “cousins”?!

Anyways… do I need another custom handler, or can I assume the default is good enough - it was for me.

(Honestly, I have never seen a 400 until this summer, so it seems rather obscure to me.)

Mittineague · November 17, 2014, 12:57am

I imagine most of the 400s are script kiddies hoping to find a vulnerability eg.
hoping to see your “outside of root” info
http://../../domain.com

If you already have a custom 404 page I think sending 400s there as well would work.

fretburner · November 17, 2014, 8:09am

The majority of HTTP status codes you probably won’t see in every-day web page serving, but there are quite a few that are used in APIs to provide more detailed responses to the client.

Thee 400 error codes is returned when you make a request to a valid URL, but with missing or malformed headers or parameters. It’s basically the server saying: “OK, you got the right URL, but you’re not making the request correctly”. Take a look at Microsoft’s Azure API docs for some examples of the conditions they return a 400 response for.

DinoTheDinosaur · November 23, 2014, 3:45pm

So should a person have a custom error page for each?

Currently I have one for 403 and 404, but if there are dozens of codes, then I sorta don’t want to bother right now unless it is important.

fretburner · November 23, 2014, 11:09pm

If you’re not creating an API and your site only serves web pages then I’d say you probably don’t need it - I’ve never come across one before on a normal website.

system · February 23, 2015, 6:21am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.