Rest API Design and Development best practices for security testing:
- Accept and respond with JSON
- Use nouns instead of verbs in endpoint paths
- Use Name collections with plural nouns
- Nest resources for hierarchical objects
- Handle errors gracefully and return standard error codes
- Versioning the rest of API designs
Following these practices would definitely enable you to exercise accurate Rest API Design and Development.
Common error HTTP status codes include:
- 400 Bad Request – This means that client-side input fails validation.
- 401 Unauthorized – This means the user isn’t authorized to access a resource. It usually returns when the user isn’t authenticated.
- 403 Forbidden – This means the user is authenticated, but it’s not allowed to access a resource.
- 404 Not Found – This is for any resource that is not visible.
- 500 Internal server error – This is a generic server error. It probably shouldn’t be thrown explicitly.
- 502 Bad Gateway – This indicates an invalid response from an upstream server.
- 503 Service Unavailable – This hints that there is some undesired error that is present on the server-side of rest API design like server overload or some system failures.
- 504 Gateway Timeout – This hints that the server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
- 505 HTTP Version Not Supported – This hints that the server does not support the HTTP protocol version used in the request.
- 506 Variant Also Negotiates – This hints that the transparent content negotiation for the request has resulted in a circular reference.
- 507 Insufficient Storage – This hints that the server is unable to store the representation needed to complete the request.
- 508 Loop Detected – This hints that the server detected an infinite loop while processing the request.
- 510 Not Extended – This hints that further extensions to the request are required for the server to fulfill it.
- 511 Network Authentication Required – This hints that the client needs to authenticate to gain network access. Intended for use by intercepting proxies used to control access to the network.