Monthly Archives: May 2015

When to Use HTTP 401 vs 403

I’ve been making a Sinatra plugin to better support Tenjin‘s Story Oriented process 1.

Here’s my final decision: 401 is for Identification, and 403 is for Permissions.

HTTP Code Server Says Server Means
401 Unauthorized I’m not telling you anything until you show me some ID
403 Forbidden Your ID is valid, but you don’t have clearance

This is a little contrary to what the spec actually states, but with good reason. The full RFC includes a statement that (emphasis mine):

If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials.

To me, applying this rule would make 403 nearly or totally useless. If there is a file that nobody may ever access via HTTP, it’s better that the server not tell anyone about it (404). Sharing existence information would only be potentially harmful; it’s admitting that a file exists that is also important enough to protect.

As a developer, I’d rather have a distinction between “I don’t know you” and “you can’t do this” over trying to detangle both. I’m not the only one to feel this way, either.

Just because something is standardized, doesn’t mean it can’t change. Those original standards are from fifteen years ago, and the way we use the internet has changed drastically. We’re moving away from the web-addresses-as-file model and toward web-address-as-command. Holding on to irrelevant or misguided standards just because they’re standards won’t help anyone.


  1. More on this later. There are half-written posts, I promise.
Continue Reading

So This Is Goodbye

Grooveshark shut down this past Thursday.

It hit me harder than it arguably should have. Yes, it is a fundamental, unexpected interruption to the way that I work, but there’s something more to it. It’s just a music service after all. I didn’t know anyone who worked there, and I didn’t have any stock in the company.

Maybe it’s because my ravenous exploration of new music helped me through the difficult transition period around 2011. Grooveshark was the provider of much-needed colour in my life. Grooveshark hummed away while I finished my degree, redefined myself, grew into leadership, and built a business. I had discovered thousands of tracks and organized them carefully into task-oriented playlists.

And here I was, scrambling to hopefully retrieve whatever data I could before it was gone forever. Search and rescue for refugee data from a failed corpo-state. My computing wizardry skills at least meant that I managed to make it out with around 60% to 80% of my collection’s listing. That’s more than some can say.

Shortly after hearing of the service’s demise, but before discovering the Reddit tutorial, I realized that my laptop would still have a copy of the last page I was on until I refreshed. Opening it, I saw the player there, forever frozen halfway through the last song Grooveshark would ever play for me: an alternatively-labelled Porcelain by Moby.

Call Me Ishmael

Sometimes life imitates art.

Continue Reading