0

Is there a technical requirement (e.g., RFC) to serve a 404 response?

Or does some other problem emerge if requests not found are dropped or replies empty?

Paul
  • 3,137
  • 1
    You may find the answer/videos on https://security.stackexchange.com/a/150762/10843 to be relevant to your second question. – Brian Jan 12 '22 at 13:56

2 Answers2

2

An HTTP server is required to reply with an HTTP response message. Every HTTP request returns a status code, see RFC 1945.

The 4xx/5xx codes are just the error codes that are usually displayed to the user.

Zac67
  • 11,547
  • RFC 1945 is Informational (but still useful) - do you know if this is addressed in others? – Paul Jan 06 '22 at 21:04
  • Well, that RFC's pretty much the foundation block of the Web. But you can refer to RFCs 2068, 7231, 7540, ... as well. No, there's no "Internet Standard" anywhere but that's how it is. – Zac67 Jan 06 '22 at 21:19
  • I understand there isn't truly an official standard, but there is a difference the RFC statuses, for which RFC 2026 was created to define, itself a "Best Current Practice" RFC (not even a standard!). – Paul Jan 06 '22 at 21:25
  • 1
    I understand that but (perhaps strangely) that's the way things are. – Zac67 Jan 06 '22 at 21:31
2

RFC 7230 Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing (Standards Track)

Section 2.1

...

A server responds to a client's request by sending one or more HTTP response messages, each beginning with a status line that includes the protocol version, a success or error code, and textual reason phrase ...

According to this RFC, you can't simply drop the connection or send an empty reply.

AlexD
  • 10,271
  • i agree to the terms, the standard client is awaiting the status first and then it acts respectively to the answer imho – djdomi Jan 07 '22 at 08:23
  • I apologize if I'm revising my question with this comment, but what I'm looking at is the obvious garbage thrown at the server. It seems like anything that has a Host header not matching anything I'm serving should just be dropped, because analysis of the logs shows it is 100% bots and likely to do with ancient assignments of the IP address, so 404 response is pointless. At some point, a request should be considered invalid or even hostile, and 100 requests/sec bot-generated 404 garbage looks hostile, at least to me, and I'd really rather drop it, but I do prefer to follow standards. – Paul Jan 07 '22 at 13:13
  • You can respond with 400 for an invalid Host: header (Section 5.4 of the RFC 7239). You can rate limit requests and respond with 429. If a client host is really hostile and generates too many 4xx errors then you can block them at IP level (fail2ban etc.) and drop connection (RFC 6585 Section 7.2) – AlexD Jan 07 '22 at 13:28