Panel Discussion: API Security in DevSecOps. Register Now

Panel Discussion: API Security in DevSecOps. Register Now

Panel Discussion: API Security in DevSecOps. Register Now

/

/

400 Status Code - Bad Request

400 Status Code - Bad Request

400 Status Code - Bad Request
400 Status Code - Bad Request
400 Status Code - Bad Request
Author Image

Luke Stephens

Luke Stephens

Luke Stephens

What is 400 status code?

The HTTP Status Code 400, known as "Bad Request", is a client error response code. It indicates that the server was unable to understand or process the request due to client-side invalid input or malformed request syntax.

In essence, the client has made an error, and the server can't or won't process the request until the issue is resolved.

Understanding 400 status code

  • Client-side Error: A 400 Bad Request typically implies that the error lies with the client. It could be due to malformed request syntax, invalid request message framing, or a deceptive request routing.

    HTTP/1.1 400 Bad Request

  • Descriptive Error Messages: Often, a server will provide a more detailed message or explanation with the 400 Bad Request to help the client understand what went wrong. This can aid in diagnosing and rectifying the issue more efficiently.

    {"error": "Invalid JSON format"}

Why 400 Status Code?

The 400 Bad Request status code serves as an immediate feedback mechanism for the client. When a request is malformed or contains invalid data, the server uses this status code to alert the client, enabling prompt corrective action.

Characteristics of 400 Bad Request

  • Broad Spectrum: The 400 Bad Request can cover a wide range of errors on the client side, from data validation failures to malformed request structures.

  • Corrective Action Needed: This code indicates that the client should modify the request before trying again. Resending the same request without changes will likely result in the same error.

How does 400 Bad Request Work?

  1. Client Sends a Request:

    The client sends a POST request to the server, which may have a syntax error, incorrect data, or other issues.

POST /create-account HTTP/1.1
Host: www.example.com
Content-Type: application/json

{
  "username": "JohnDoe",
  "email": "john.doe@.com" // malformed email address
}
  1. Server Evaluates & Responds:

    The server identifies the issue, in this case, a malformed email address, and sends back a 400 Bad Request status code with an explanatory error message.

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "Invalid email format"
}

Example of 400 Bad Request

Malformed JSON:

POST /update-profile HTTP/1.1
Host: www.example.com
Content-Type: application/json

{
  "name": "Jane" // missing closing brace
}

Response:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "Malformed JSON input"
}

Here, the client sends a JSON payload missing a closing brace. The server identifies the malformed JSON and returns a 400 Bad Request with a descriptive error message.

Real Life Example of 400 Bad Request

Imagine you are using a web application to book a flight. You fill out the form with your travel details and hit the "Submit" button. However, you accidentally enter an invalid date format in the departure field.

The request sent by your browser to the server would look something like this:

POST /book-flight HTTP/1.1
Host: www.flightbooking.com
Content-Type: application/json

{
  "departureCity": "New York",
  "arrivalCity": "Los Angeles",
  "departureDate": "32/13/2022" // invalid date format
}

Since the server expects a valid date format and finds an invalid one in your request, it would return a 400 Bad Request status code, signaling that there's an issue with your request. The server's response would look something like this:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error": "Invalid date format in departureDate field"
}

This response allows you to quickly identify and fix the error in your form input, ensuring the server can properly process your flight booking request.

Final Thoughts

The 400 Bad Request status code is instrumental in providing feedback to clients about errors or issues with their requests. By signalling that there's a problem with the request's syntax, structure, or data, it allows clients to diagnose and rectify their errors. Familiarity with the 400 Bad Request status code and its implications is important for developers, as it's a foundational aspect of effective client-server communication.

On this page

Title

Protect your APIs from attacks now

Protect your APIs from attacks now

Protect your APIs from attacks now

Explore more from Akto

Blog

Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.

Events

Browse and register for upcoming sessions or catch up on what you missed with exclusive recordings

CVE Database

Find out everything about latest API CVE in popular products

Test Library

Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.

Documentation

Check out Akto's product documentation for all information related to features and how to use them.