The HTTP status code for a web server's default "hello" front page

July 8, 2023

In a comment on my entry on how web servers shouldn't give HTTP 200 results for random URLs, Jonathan reported something that I find fascinating:

This reminds me of a personal bugbear with the RHEL httpd package, which is the inverse situation: OOTB it’s configured to serve a “hello” page on / via an error handler, so you get an error code for a success.

I personally find this fascinating and can't really vote against it (in contrast to Jonathan). To me, it raises the interesting question of whether a web server's default 'hello I am <X>' front page should actually exist, in the sense of what HTTP status code it should use.

On the one hand, the front page is there and there's often some traditional content to it (announcing the web server, host OS, and so on, although how wise that is these days is an open question). On the other hand, no one has actually set up this front page; the web server is mostly showing it to be friendly, especially in a completely stock configuration as installed by a package manager (where everyone can assume that the configuration itself is working). Since no actual person has deliberately set up the front page, I can see an argument that the right HTTP response code is a 404 not found. In the sense of deliberate content put there by the website operator, there is no front page.

As with other HTTP error codes, the real answer is that one should probably use whatever status code is most convenient. On the one hand, the returned HTTP status code mostly doesn't matter to browsers and thus the people using them; most browsers just display the HTML of the HTTP error page with no UI indication of the actual status code. On the other hand, the HTTP status code does matter (sometimes a lot) to programs that hit the URL, including status monitoring programs; these will probably consider their checks to fail if the web server returns a 404 and succeed if it returns a 200. If you're pointing status checking programs at the front page of your just set up web server to make sure it's up, probably you want a HTTP 200 code (although not if the real thing you're checking is whether or not the web server and the site have been fully set up).

(The actual default front page behavior of various web server setups is something I'd probably never count on. All of our web servers have specifically created front pages, even if the front page just says 'there's nothing here'. These days I'd only leave a default front page in place if I was creating some sort of honeypot web server where I wanted to lure attackers in with the prospect of an un-configured server.)

Written on 08 July 2023.
« Our experience with nftables and 'iptables' on Ubuntu 22.04
Polymorphism and other important aspects of inheritance »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jul 8 22:18:06 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.