A good match for the censorship implementations, but doesn't really make sense with GDPR, which is basically "we're not letting you in because we're not allowed to infringe on your privacy" Wish they'd have used a different one for that
@@aVeryTinyCat for a lot of websites I'm sure it's more like "I don't want to worry about how European law affects me, and isn't worth the traffic I get there. There's a lot of ways to violate gdpr, including IIRC just debug logs.
451 refers to Fahrenheit 451 by Ray Bradbury. It means access is restricted due to censorship. The implementation is kinda rebellious, since usually you would not be allowed to tell that information exists but you won't show it. 451 is the status code for digital book burning.
Which brings us to another kinda interesting phenomenon: web servers often lie by using 404 - not found, when the resource actually exists but they *don't* want to let you know that it does. For instance, this is what happens if you try to view a private github project that you don't have the right permissions for.
@@dreamsofcode Also it's in the 400's because allowing your government to censor you instead of assassinating your politicians is your fault, not the server's fault.
Actually, RFC 7725 (which specifies this status code) explicitly states that it "implies neither existence nor nonexistence of the resource named in the request".
I honestly hope this is taken for a possible: "518 - Sir, this is a Wendy's" to inform the request was so absurd it crashed the server in some capacity.
@@qchtohere8636 as a x wendies employee i have herd internal silly and obsurd remarks so this would be perfect as a 5xx request if it wernt for coppyright.
Error status codes are not about placing blame, they're more about explaining why this error is returned and what you can do to fix it. 4xx is generally "something on the client side", 5xx is "something on the server side" With 451, you can move to another country, change your country's laws, use a VPN - all of that does not concern the server very much. Meanwhile 5xx errors are caused by stuff that the client has no control over: some sort of bug in the server code, availability issues with other servers it talks to, etc.
I'm happy to place blame on the user for bad input. In all seriousness, you're correct. I have a dry sense of humor so that may not have came across in the video.
@@dreamsofcode yeah, I'm not saying you're wrong (and you elaborated more on the 4xx vs 5xx concept later in the video), I just said it because I thought some people mind find it confusing
If moving to another country is an acceptable reasons to make something the clients fault, make every 5xx code a 4xx code as the user can always hack into the servers and fix the issues themselves or try to get hired by such company.
It doesn't "make it the client's fault", it means the *reason* for the error, an therefore the possible means to fix it, is in the request made by the client. 4xx means the request, as it was made and given the server state, can't succeed. The client can change something, or they can give up, but the fact is the request won't succeed unless something changes either in the request or in the server state. While 5xx means the request is valid and should have succeeded, but something is wrong with the server ; the exact same request could succeed once the server-side problem is fixed. In case of 451 used for geoblocking (originally it was meant for censorship) we're definitely in the 4xx case - the server is not willing to serve requests coming from the client's country, no matter how unrealistic it might be for the client to move to another country the fact is a request coming from that country won't be served and it's not a bug nor going to change.
@@aysnov If it is shown because of the simple need of respecting privacy ( as the GDPR or EU Law in general states), it becomes a 5xx since the reason of the fault ist on the server side of being in a developing country without proper privacy rights. 451 for geoblocking might be correct, but still useless.
101 is an interesting code. It means “switching protocols” and wasn’t generally used before Websockets. A HTTP/S request to a WS server returns 101 and then awaits a Websocket packet. The connection then carries WS traffic (which is basically TCP)
Learning about 418 was the highlight of my software engineering class. I never got to implement it but I still think 418 is hilarious. Let us software devs keep our dumb jokes
I’ve implemented it before many times when doing microservices. I set them up with published gateways and it’s not much effort to have servers spot if the service is trying to be accessed but on a gateway of another service it can return a 418 and which server you want. It’s avoided mistakes and has improved developer experience, people aren’t banging their heads against their desk confused as to why the endpoint they’re accessing says it doesn’t exist when they’re just making requests to the wrong server, checking logs for 418s there’s often a lot of responses. I’ve had people say that it’s a security vulnerability making it possible for any server to tell users what servers exist and what gateways it has however I don’t rely on obscurity for my security, I use actual security (there is still the obscurity of private gateways remaining private but it would be fine to publish those)
What I love about early software is that it's full of easter eggs that we can't remove or change due to backwards compatibility. So an inside joke is now permanently part of the core infrastructure of the world today.
I actually used 418 the other day. My backup web servers are Raspberry Pi's and don't have much storage attached to them. When one of the backups is the main server (because the main server is getting maintenance) when one of the services that uses a lot of data / drive space, I returned a 418 code to say that this server can't really do that. I later decided that 503 was more acceptable as that part of the service is not available.
It should be noted that Emacs does have an implementation of that april fool's joke thing that allows it to talk to compatible coffee makers (the list of which is currently 'nil, but that might change some day), so it's in "actual" use...
200: I got what you wanted 300: I got what you wanted, it's over here 500: My bad 400: Your bad 401: Log in you dingus 403: You're not allowed here you dingus 404: It's not here These are the most used ones. If you consume an API, ignore HTTP 300 and then contact support, we're legally required to slash your tires. If you run an API and ask for "all the things that are like this", like say "all my posts for the last 5 days on reddit" and send me an 404 instead of a 200 OK and an empty list, I am legally required to waterboard you until you learn the error of your ways. (Which btw, is a 500 error, because YOU did the wrong thing)
451 is also pretty common here in the EU for US websites that don't want to deal with EU privacy law and just block all EU ip addresses. Edit: should have continued watching for 3 seconds lol...
I wasn't expecting it that you didn't shill some VPN right after briefly mentioning how it can be used for protection :D My brain was processing it for a few seconds
I used 418 once as I blocked an IP because I suspected it trying to DDOS my server. I received a call from the client behind that IP minute later. Its computer got a trojan and was trying to access all the servers this person used. The joke lasted five minutes, but it was usefull.
4xx doesn't necessarily mean that it's the user's fault. For example 404 (Not Found) does not mean it's your fault that the resource wasn't found. It's more of a message _for_ the client, rather than the server administrator (5xx errors).
While it's true in practice that they aren't necessarily the client's fault (all errors can theoretically be anybody's fault), that's still what they are supposed to mean. 4xx are supposed to be errors that the client can fix, e.g. by requesting the correct URL. In that sense, they are the client's fault. They are also called "client errors" for that reason. It doesn't really make sense to say they are instead messages for the client. A 5xx is still for the client. It tells the client that something is wrong with the server and they can't (directly) do anything about that. And similarly, many a 404 can also be relevant to the server administrator, possibly indicating a missing redirect, and there are other 4xx for which this applies.
It's more that the solution is on the client's side and not the server's side. If you ask for something that doesn't exist, the solution is to either tell the server to create it (if you're allowed) or to ask for something that DOES exist. Same way, if you manage to send the server something that sends it into a tailspin, it's not YOU who should fix it, it's the server side.
It is your "fault" because you asked for something that doesn't exists (and never existed). If instead you asked for something that exists or existed at some point (and you are allowed to see it) the server will respond with a 2xx code for success, a 5xx if it can't show it to you because of some problem server-side or 3xx if it was there but now it's somewhere else (redirect).
418: Sir, this is a wendy's Also 418 goes with the hyper text coffee pot control protocol. When your trying to talk to a coffee pot, but find a teapot instead.
I love this video. The light sprinkling of jokes and memes does not detract from the clarity of the video. You have great audio, great enunciation, and very good writing. 👍
In case anyone wonders: HTTP status codes are defined in many different standards, so it's not like there is a single official standard that decides what is an official status code and what not. Instead the IANA has a list of official status codes and if a code is listed there, it is considered official, otherwise it isn't. This list also gives every status code a name and links to the standard that defines it. I cannot put a link here (UA-cam doesn't like links in comments unless those are YT links) but if you search for "Hypertext Transfer Protocol (HTTP) Status Code Registry" you should find that list.
6:35 What exactly is meant by "official"? Status 418 was proposed in RFC 2324, is recognized in all major browsers and is listed on pretty much all documentation (whereas 218, 530, and 420 are *not*. 451 is proposed in RFC 7725). Or do you mean that it is formally a part of HTTP? in which case yeah, the latest standard RFC 9110 includes none of the codes in this video, although it does acknowledge the existence HTCPCP and reserves 418 as unassignable until all 4xx tier status codes are exhausted
I'm referring to IANA, which only 451 falls on to that in this list. However 418 is special for the reasons you mentioned, as it's widely supported and accepted without being "officially official". I hope that makes sense? I apologize for not clarifying that properly on the video!
4:01 It seems very likely that it’s a reference to Douglas Adams’ Hitchhiker’s Guide to the Galaxy books, where the “meaning of life, the universe, and everything” is 42, and the titular guide has the following message printed on its cover: “Don’t panic.” (This could be roughly translated to “enhance your calm”.)
I think the biggest issue with 418 is that someone somewhere depends on it to work the way it does. It's the same with some weird stuff in html. There were some unofficial abbreviations for tags in some browsers decades ago and Google found out that enough sites still use them to rather implement a workaround in chrome and actually include these in the official HTML spec.
6:37 im pretty sure that 418 is actually an Official Status Code, its covered in the mozilla HTTP Response status codes documentation and is supported by all "big" Browsers. But do correct me if im wrong
You are correct! It is now "officially" supported. It basically become official by most HTTP implementations supporting it, despite not having an official RFC. I
RFC 9110, section 16.2.1 lists the iana as THE http code registry. And if you look it up you'll see that 418 is listed as "unused" (interestingly, not "unassigned"). I'd post a link, but only scam bots seem to be allowed to post them. So I'll let you google it instead.
The reason you want to have all internal errors as 500 is that you don't want to disclose error information that can then inform attackers about potential attack points. So having all failures be 500 means no specifics get out. They should be logged internally, not broadcasted to visitors (php error dumps i'm looking at you). Be creative with 1xx-4xx, but not 5xx.
honestly i'd just use the 418 code as a 'improper request' sort of thing? sure its supposed to mean "im a teapot" but just word things differently and its accepted
The comedian/actor Tim Brooke-Taylor, famous for his roll in the UK comedy series The Goodies, would often shout in moments of high stress and confusion "I'm a Teapot, I'm a Teapot".
1:52 Yes, putting annoying banners around your website informing that yes, like the rest of the internet, you do indeed use cookies, solves so very much. You definitely aren't targeted by analytics from google, facebook and microsoft anymore. Oh, god, it's so stupid it hurts🤕
@@dreamsofcodenot really sad, you could just not use other people's websites. I don't see people complaining that they're recorded when going into a supermarket and buying stuff. Expecting privacy for free use of other people's websites is entitlement
4xx codes don't actually mean "it's your fault", it means the reason why the server couldn't answer the request is because there was something wrong with the request itself. Contrary to 5xx which means the request might have been fine but there was a server problem preventing an answer. So 451 does mean "This request cannot be answered for legal reasons" but without the connotation that this is your fault, unless you want to argue that it's always your fault if a request doesn't work as you made that request, yet it's not your fault that the request may be unlawful, unless you made that law or try to intentionally break it.
Haha thanks for clarifying. You're correct, aka 200 ;). I was being a little "tongue in cheek" in the video and did call out they're used for client errors in the later part. I hope I didn't come across too serious regarding them being "you're fault"!
I've spent over a decade thinking that http stood for "head to the page" and https meant "head to the pages". I also thought that websites starting with http instead of https were older and less stable (which might have a grain of truth, I don't know). ...So. Apparently I don't know as much about the thing that I use every day as I thought.
The s in https stands for secure, and just means that the data being sent with the packet is encrypted. Though http sites are usually older than https, which comes with less stability.
I bet the 420 and 429 Status codes see much more use on Twitter nowadays. 😜 Also, slight tangent. I hate, that some devs will use the 4xx range to define "User"-Errors. ("User" == the poor person sitting in front of the screen, while "Client" == The script/Website itself) For example, sending 404, when a request was successfull, yet the data, the User requested, does not exits. (Like no Dataset in a DB). That is what 204 is for IMO. Using 404 in such a scenario makes it unnecessarily difficult to debug and find if that 404 comes from the server being misconfigured or if it is the script just doing its thing.
204 is for API paths that, even on success, will never return something because there isn't and never will be anything to return. It has done its job and that job doesn't need to produce any more output than "Done! Everything went well." 404 instead is way better suited for when the client asks for something that doesn't exists but could've existed (eg. the public user profile of a user that doesn't exists, yet). What you should never do is return 404 (or even 204) when the client asks for a list of things and that list turns out to be empty, because an empty list is still definitely something.
I think an empty list of the resources should be returned as an empty array with 200. If the resource that exists but has no content, then go with 204. And 404 means the resource is not exists. GET /users => 200 with empty array [] GET /user/1 => 204 no content GET /user/9487 => 404 not found
I can't believe they tried to kill 418! I mean it's 2023, the world of IoT is upon us, this is an important, no, *critical* error code for any and all smart teapots!
About the 420 error code and enhance your calm: 420, 4:20 or 4/20 (pronounced four-twenty) is cannabis culture slang for marijuana and hashish consumption, especially smoking around the time 4:20 pm (16:20). It also refers to cannabis-oriented celebrations that take place annually on April 20 (4/20 in U.S. and Canadian date form).
5:50 Wow wth. at the exact moment you mentioned 'Pantheon', I got an ad from heckin' PANTHEON. Before I had never even heard of that company. Scary..............
502 and 503 are the ones I get a lot of. After all, it's often that servers are hidden behind proxy servers, and it's also often that servers are down for maintenance or simply ddosed.
418 can be useful for users that go to a valid page they're allowed to visit, but they're lacking context to make it useful. Like a generic error page with no parameters.
I want a 486 status code, for people who have abused the server by trying to hack it or other terms of service violations and they are 86ed from the server. And 586 for unauthorized hot linking/scraping from other sites.
@@ra2enjoyer708 None of the existing status code provides the information that the server is actively or intentionally refusing the request. The 403 is actually a your papers are expired; and 401 is a request for papers. These are not refusals. Since web apps are more evolved they can be sophisticated enough to determine a condition when the request should be refused; 486 is with an explanation and 586 is without. The 403 Forbidden The request contained valid data and was understood by the server, but the server is refusing action. This may be due to the user not having the necessary permissions for a resource or needing an account of some sort, or attempting a prohibited action (e.g. creating a duplicate record where only one is allowed). This code is also typically used if the request provided authentication by answering the WWW-Authenticate header field challenge, but the server did not accept that authentication. The request should not be repeated. The 401 Unauthorized Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource Some sites incorrectly issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that specific address is refused permission to access a website. ---- If a page such as (consider twitter or youtube as a example), Explicitly forbidden because the account violated TOS. a 403 does not convey the information the page is removed because of TOS .... and after a 403 the requests keep coming with modifications (different papers) to the request. Another use case would be for any file that begins with a dot (.htaccess being an example but there are other dot files which should never be delivered with intent); A 486 would indicate the content is blocked by intent ... a firewall can then be alerted by the 486 status code and if too many requests are 486 from the same IP that IP can be blocked (86ed) for a period of time. The only 451 content blocked is to specific to legal not TOS. A 486 conveys in a humorous way a general URL is known but, (don't need to try differently), it is not going to be provided. --- None of the 5XX codes suggest the server is unwilling to deliver the page they all say or suggest the server is unable or does not know how to deliver the page. The practical difference between the 4XX and 5XX is 4XX provides and explanation (body) that can appear in the browser, telling the user what is wrong; And, The 5XX is just the code and thus becomes more useful for applications that are using the internet, as the server does not take time to create a body. 503 Service Unavailable is [(The server cannot handle the request (because it is overloaded or down for maintenance)] A request for a login from a remote site or a bot may be by intention, (or terms of service), be blocked or requests for URLs used to transfer user information, (such as a request for webRTC details to connect to a peer system, which has not accepted the request to connect). A code of 586 represents, the server understands the request and is intentionally saying no. And again to many 586 responses alerts the firewall to 86 the IP address. So the X86 codes I would like are more of a (you are scaring the server and stop it or you will get blocked), or (that page/user is was removed not 410 they can appeal). --- Regarding leaking a heads up to black hats. The black hats will know when they get 86ed by the firewall. The X86 codes alert the software application which may have inadvertently made a request to an X86 page that it needs to stop requesting that URL until things are resolved. Maybe the blackhats will get the clue that the door is locked and look else where for an unlocked door, if not they get 86ed and need to use a different IP address.
There is one game I played once where if you managed to trigger a 420 error code you would get some bonuses. It was quite cool, but I only could get it to work once
To quote Mozilla Docs, "418 I'm a teapot The server refuses the attempt to brew coffee with a teapot." LOL it's so much of a joke that the official definition is literally your explanation.
hah. coincidentally, at work i've used status code 451 in a project where I forced our partners to sign some legal documents to keep using our services
Joke RFCs are one of the reasons this field is so fun to be a part of. Making everything all business all the time is pointless. It's okay to laugh a little!
I somewhat often get a 400 error code when logging into my Goggle account (which I do very often due to switching operating systems and devices every week or so). I find it very funny how they frame the error: "400. That's an error. The server cannot process the request because it is malformed. It should not be retried. That's all we know."
Please can you make a video about IP over Avian Carriers (IPoAC). Homing pigeons carrying internet traffic has to be one of the weirdest forms of Internet Protocol.
Oddly enough, I think I have configured servers to return all of these at one point or another. 420 is useful when you have more than one rate limiting scheme 218 is a snarky way to tell your API user to RTFM after making your service capable of handling that specific malformed request. Legacy systems that yours is not quite a drop in replacement for are usually involved. 530 is not completely unique to Pantheon, if you encounter it in the wild it is either someone that did not pay a bill, or more likely an error case that needs communicated in as few bits as possible to some particular client and so the dev co-opted a status code just legit enough that it won't raise any alarm bells with draconian network managers but weird enough that nobody is going to complain they can't use it for a "legitimate" purpose. As for 418, see 218. I see that you are hitting my service with code you wrote for that other API. This is not a drop-in replacement, and I have not hacked in an adapter that works for your use case.
I feel like a pavlovian dog after I have watched so much youtube, cause after, you recomended to use a vpn my finger was ready to scroll in the video as i was sure there was coming an ad segment haha.
I actually used a 451 for all IPs connecting afew months ago while i was working on removing some resources i had realized were not legal to share online. Later changed it to a 410 and then afew weeks later 404
Meanwhile the teapot bait and switched me from thinking I'd get the 410 Gone. It's very rare but a bit chilling when you get that one ("the resource is gone, stop asking"). Iirc some call center dialers staff considered a 410 on voip line calls a "customer cancelled their line".
I remember once being shown the HTTP messages using a "Give me coffee" request analogy. IIRC it went as follows: 200: Here's your coffee. (OK) 400: Covfefe? (bad request) 401: I don't know if I can serve you coffee. (Unauthorized) 402: $3.50 please (Payment required) 403: You can't have coffee. (Forbidden) 404: We're out of coffee. Try again later. 410: We don't sell coffee anymore. (Gone) 418: Here's your tea. (Teapot) 450: Aren't you too young for coffee? (Parental Control) Last time I saw a 410 in the wild the person in question was claiming they were being censored and trying to reach their profile page actually got you a plain "410 Gone | nginx" page instead of the usual "this profile isn't available/doesn't exist".
Status code 451 is also a reference to the book/movie Fahrenheit 451, and it’s honestly a pretty good match
lol
that’s actually makes sense😊
That's awesome!
A good match for the censorship implementations, but doesn't really make sense with GDPR, which is basically "we're not letting you in because we're not allowed to infringe on your privacy"
Wish they'd have used a different one for that
@@aVeryTinyCat for a lot of websites I'm sure it's more like "I don't want to worry about how European law affects me, and isn't worth the traffic I get there. There's a lot of ways to violate gdpr, including IIRC just debug logs.
Guy Montag reference
451 refers to Fahrenheit 451 by Ray Bradbury. It means access is restricted due to censorship.
The implementation is kinda rebellious, since usually you would not be allowed to tell that information exists but you won't show it.
451 is the status code for digital book burning.
That's a really awesome fact. It's a shame it got used because of GDPR as that seems to have taken away from the original intent.
It basically means "We can't show it to you, but it's not a 404, what you're looking for exists and if you keep looking maybe you will find it"
Which brings us to another kinda interesting phenomenon: web servers often lie by using 404 - not found, when the resource actually exists but they *don't* want to let you know that it does. For instance, this is what happens if you try to view a private github project that you don't have the right permissions for.
@@dreamsofcode Also it's in the 400's because allowing your government to censor you instead of assassinating your politicians is your fault, not the server's fault.
Actually, RFC 7725 (which specifies this status code) explicitly states that it "implies neither existence nor nonexistence of the resource named in the request".
So 418 is basically the webserver equivalent of "Sir this is a Wendy's" 💀💀💀
I'm not even American, but damn 💀
That is an extremely accurate summary
I wish I had thought of this 🤣
I honestly hope this is taken for a possible:
"518 - Sir, this is a Wendy's"
to inform the request was so absurd it crashed the server in some capacity.
@@qchtohere8636 as a x wendies employee i have herd internal silly and obsurd remarks so this would be perfect as a 5xx request if it wernt for coppyright.
Error status codes are not about placing blame, they're more about explaining why this error is returned and what you can do to fix it. 4xx is generally "something on the client side", 5xx is "something on the server side"
With 451, you can move to another country, change your country's laws, use a VPN - all of that does not concern the server very much.
Meanwhile 5xx errors are caused by stuff that the client has no control over: some sort of bug in the server code, availability issues with other servers it talks to, etc.
I'm happy to place blame on the user for bad input.
In all seriousness, you're correct. I have a dry sense of humor so that may not have came across in the video.
@@dreamsofcode yeah, I'm not saying you're wrong (and you elaborated more on the 4xx vs 5xx concept later in the video), I just said it because I thought some people mind find it confusing
If moving to another country is an acceptable reasons to make something the clients fault, make every 5xx code a 4xx code as the user can always hack into the servers and fix the issues themselves or try to get hired by such company.
It doesn't "make it the client's fault", it means the *reason* for the error, an therefore the possible means to fix it, is in the request made by the client. 4xx means the request, as it was made and given the server state, can't succeed. The client can change something, or they can give up, but the fact is the request won't succeed unless something changes either in the request or in the server state. While 5xx means the request is valid and should have succeeded, but something is wrong with the server ; the exact same request could succeed once the server-side problem is fixed. In case of 451 used for geoblocking (originally it was meant for censorship) we're definitely in the 4xx case - the server is not willing to serve requests coming from the client's country, no matter how unrealistic it might be for the client to move to another country the fact is a request coming from that country won't be served and it's not a bug nor going to change.
@@aysnov If it is shown because of the simple need of respecting privacy ( as the GDPR or EU Law in general states), it becomes a 5xx since the reason of the fault ist on the server side of being in a developing country without proper privacy rights.
451 for geoblocking might be correct, but still useless.
Just wanted to point out that 429 was the exact code we were getting during the rate limiting nonsense at Twitter recently. Super funny timing.
I wish I had a different thumbnail prepared!
@@dreamsofcode you can change thumbnails after release fyi
and here i was, CERTAIN that elongated muskrat would have made them use 420. maybe they never told him about it, and we're all better off for it
101 is an interesting code. It means “switching protocols” and wasn’t generally used before Websockets. A HTTP/S request to a WS server returns 101 and then awaits a Websocket packet. The connection then carries WS traffic (which is basically TCP)
Learning about 418 was the highlight of my software engineering class. I never got to implement it but I still think 418 is hilarious. Let us software devs keep our dumb jokes
Agreed! I will never not find a recursive algorithm enjoyable.
I’ve implemented it before many times when doing microservices. I set them up with published gateways and it’s not much effort to have servers spot if the service is trying to be accessed but on a gateway of another service it can return a 418 and which server you want.
It’s avoided mistakes and has improved developer experience, people aren’t banging their heads against their desk confused as to why the endpoint they’re accessing says it doesn’t exist when they’re just making requests to the wrong server, checking logs for 418s there’s often a lot of responses.
I’ve had people say that it’s a security vulnerability making it possible for any server to tell users what servers exist and what gateways it has however I don’t rely on obscurity for my security, I use actual security (there is still the obscurity of private gateways remaining private but it would be fine to publish those)
What I love about early software is that it's full of easter eggs that we can't remove or change due to backwards compatibility.
So an inside joke is now permanently part of the core infrastructure of the world today.
There probably exists an actual teapot with 418 printed on the side. Hopefully it's that one teapot from all the 3D modeling jokes.
I actually used 418 the other day. My backup web servers are Raspberry Pi's and don't have much storage attached to them. When one of the backups is the main server (because the main server is getting maintenance) when one of the services that uses a lot of data / drive space, I returned a 418 code to say that this server can't really do that. I later decided that 503 was more acceptable as that part of the service is not available.
I love hearing 418 stories! I'd love to hear more about your raspberry pi backup servers. How can I find out more?
Nothing beats status code 418: I'm a Teapot
It's the OG/GOAT
I configured my reverse proxy to change all 200, 400, and 500 status codes to 418 for a while. Good stuff!
You should make an hour long documentary covering all the petitions, debates and rfcs of 🫖
agreed
@@valshaped *_218_*
It should be noted that Emacs does have an implementation of that april fool's joke thing that allows it to talk to compatible coffee makers (the list of which is currently 'nil, but that might change some day), so it's in "actual" use...
Good ole emacs never disappoints!
The lack of response, when using Emacs must be due to a different Java variety. 😉 No bad (or good) pun shall go un-pun-ished. 😎
200: I got what you wanted
300: I got what you wanted, it's over here
500: My bad
400: Your bad
401: Log in you dingus
403: You're not allowed here you dingus
404: It's not here
These are the most used ones. If you consume an API, ignore HTTP 300 and then contact support, we're legally required to slash your tires. If you run an API and ask for "all the things that are like this", like say "all my posts for the last 5 days on reddit" and send me an 404 instead of a 200 OK and an empty list, I am legally required to waterboard you until you learn the error of your ways. (Which btw, is a 500 error, because YOU did the wrong thing)
🤣🤣🤣
418: Bruh don't drink water on toilet
402: You need to pay you dingus
you missed 201 created
@@kenzostaelens1688
I missed plenty, I just showed the most common ones. :)
451 is also pretty common here in the EU for US websites that don't want to deal with EU privacy law and just block all EU ip addresses. Edit: should have continued watching for 3 seconds lol...
Haha. You're just spot checking me 😉
I wasn't expecting it that you didn't shill some VPN right after briefly mentioning how it can be used for protection :D My brain was processing it for a few seconds
🤣🤣 I was hoping I'd have a sponsor in my inbox but alas, it didn't happen
I know, right? I had my hand on the keyboard to skip the inevitable advertisement... then it just never happened.
Same just abouta skip and dislike
I used 418 once as I blocked an IP because I suspected it trying to DDOS my server.
I received a call from the client behind that IP minute later. Its computer got a trojan and was trying to access all the servers this person used. The joke lasted five minutes, but it was usefull.
Wait, 418 as in "this server is not intended to be DDoSed"?
@@Xnoob545 no 418 as "this teapot is not intended to be DDOSed"
😂😂😂
4xx doesn't necessarily mean that it's the user's fault. For example 404 (Not Found) does not mean it's your fault that the resource wasn't found. It's more of a message _for_ the client, rather than the server administrator (5xx errors).
You're correct, it's more the clients fault than the user. For example, it's not the users fault if a hyperlink is broken.
While it's true in practice that they aren't necessarily the client's fault (all errors can theoretically be anybody's fault), that's still what they are supposed to mean. 4xx are supposed to be errors that the client can fix, e.g. by requesting the correct URL. In that sense, they are the client's fault. They are also called "client errors" for that reason. It doesn't really make sense to say they are instead messages for the client. A 5xx is still for the client. It tells the client that something is wrong with the server and they can't (directly) do anything about that. And similarly, many a 404 can also be relevant to the server administrator, possibly indicating a missing redirect, and there are other 4xx for which this applies.
It's more that the solution is on the client's side and not the server's side. If you ask for something that doesn't exist, the solution is to either tell the server to create it (if you're allowed) or to ask for something that DOES exist.
Same way, if you manage to send the server something that sends it into a tailspin, it's not YOU who should fix it, it's the server side.
It is your "fault" because you asked for something that doesn't exists (and never existed).
If instead you asked for something that exists or existed at some point (and you are allowed to see it) the server will respond with a 2xx code for success, a 5xx if it can't show it to you because of some problem server-side or 3xx if it was there but now it's somewhere else (redirect).
@@qdaniele97 Distinction between user and client. This was more of a bikeshedding comment.
418: Sir, this is a wendy's
Also 418 goes with the hyper text coffee pot control protocol. When your trying to talk to a coffee pot, but find a teapot instead.
😂😂😂
😄😄
They did release a later RFC that extends HTCPCP to support teapots
I now want a networked teapot that implements that protocol.
IOT
Internet of teapots
It's a variation on the crystal ball protocol, you just need to find a qualified medium. 😉
Already exists, it's the HTCPCP-TEA protocol, an update of the HTCPCP protocol which originally implemented the 418 status code.
Is there an IoT Teasmade yet?
I love this video. The light sprinkling of jokes and memes does not detract from the clarity of the video. You have great audio, great enunciation, and very good writing. 👍
Thank you so much. I really appreciate the feedback and am glad you enjoyed it!
In case anyone wonders: HTTP status codes are defined in many different standards, so it's not like there is a single official standard that decides what is an official status code and what not. Instead the IANA has a list of official status codes and if a code is listed there, it is considered official, otherwise it isn't. This list also gives every status code a name and links to the standard that defines it. I cannot put a link here (UA-cam doesn't like links in comments unless those are YT links) but if you search for "Hypertext Transfer Protocol (HTTP) Status Code Registry" you should find that list.
If there are multiple standards, there are no standards.
More videos like this please! General tech videos are underrated these days with everything becoming so specialized
Thank you for the feedback! I really enjoy doing more general style videos.
418 seems like a really good status code to reply to malformed requests trying to misuse things.
The Pavlovian response I felt at 2:06 was intense, I was SURE that was a segue into a VPN ad read
🤣🤣 I do apologize!
6:35 What exactly is meant by "official"? Status 418 was proposed in RFC 2324, is recognized in all major browsers and is listed on pretty much all documentation (whereas 218, 530, and 420 are *not*. 451 is proposed in RFC 7725). Or do you mean that it is formally a part of HTTP? in which case yeah, the latest standard RFC 9110 includes none of the codes in this video, although it does acknowledge the existence HTCPCP and reserves 418 as unassignable until all 4xx tier status codes are exhausted
I'm referring to IANA, which only 451 falls on to that in this list. However 418 is special for the reasons you mentioned, as it's widely supported and accepted without being "officially official".
I hope that makes sense? I apologize for not clarifying that properly on the video!
@@dreamsofcode I did not know the IANA keeps a list of HTTP statuses which is separate from the standard. Neat.
451 is a "client error", because some property of the client (e.g. the country of origin) causes this request to fail.
You are correct! I was being more tongue in cheek 😉
451 is also _"the temperature at which books_ (and freedom) _burn"_ 🔥📚
I'd be very tempted to create a smart teapot simply so that there would be at least one valid and honest user of 418
6:53 "responds politely" whilst calling the client a moron 💀💀💀
thatsthejoke.png
4:01 It seems very likely that it’s a reference to Douglas Adams’ Hitchhiker’s Guide to the Galaxy books, where the “meaning of life, the universe, and everything” is 42, and the titular guide has the following message printed on its cover: “Don’t panic.” (This could be roughly translated to “enhance your calm”.)
Very interesting!
Sad that 429 replaced 420. It was such a good match.
Agreed. 420 was really fun.
@@dreamsofcode Maybe we can find another use for it.
"Just let it go" That's it, I'm calling the cops.
I plead guilty to that one
I think the biggest issue with 418 is that someone somewhere depends on it to work the way it does. It's the same with some weird stuff in html. There were some unofficial abbreviations for tags in some browsers decades ago and Google found out that enough sites still use them to rather implement a workaround in chrome and actually include these in the official HTML spec.
6:37 im pretty sure that 418 is actually an Official Status Code, its covered in the mozilla HTTP Response status codes documentation and is supported by all "big" Browsers. But do correct me if im wrong
You are correct! It is now "officially" supported. It basically become official by most HTTP implementations supporting it, despite not having an official RFC. I
RFC 9110, section 16.2.1 lists the iana as THE http code registry. And if you look it up you'll see that 418 is listed as "unused" (interestingly, not "unassigned").
I'd post a link, but only scam bots seem to be allowed to post them. So I'll let you google it instead.
@@gtsiam it’s permanently reserved because it cannot be assigned to anything anymore, thus ‘unused’
The reason you want to have all internal errors as 500 is that you don't want to disclose error information that can then inform attackers about potential attack points. So having all failures be 500 means no specifics get out. They should be logged internally, not broadcasted to visitors (php error dumps i'm looking at you). Be creative with 1xx-4xx, but not 5xx.
honestly i'd just use the 418 code as a 'improper request' sort of thing? sure its supposed to mean "im a teapot" but
just word things differently and its accepted
The use of 418 as a general "resource not available at this destination" error is actually a pretty elegant use, in my opinion.
Commenting on 418, teapot is a similar word to honeypot, which is basically a hacker trap
Haha you're correct.
I work with honeypots in my day job as well!
The comments about the teapot code and recursive algorithms going to far are so true and hilarious. great video!
Haha. Thank you, I'm glad you enjoyed it!
Buy me coffee. My teapot is broken
6:35 But 418 IS an official code. see RFC 2324, chapter 2.3.2. It is part of the definition of the Hyper Text Coffee Pot Control Protocol.
🤣🤣 you got me.
Error 420, 418: You tried to brew coffee too many times!
The comedian/actor Tim Brooke-Taylor, famous for his roll in the UK comedy series The Goodies, would often shout in moments of high stress and confusion "I'm a Teapot, I'm a Teapot".
1:52 Yes, putting annoying banners around your website informing that yes, like the rest of the internet, you do indeed use cookies, solves so very much. You definitely aren't targeted by analytics from google, facebook and microsoft anymore. Oh, god, it's so stupid it hurts🤕
It's sad how much we are tracked 😔
@@dreamsofcodenot really sad, you could just not use other people's websites. I don't see people complaining that they're recorded when going into a supermarket and buying stuff. Expecting privacy for free use of other people's websites is entitlement
@@duckner I just use ublock origin. Don't worry about me. Tracking cookies begone.
@@dreamsofcode what about browser fingerprinting?
@@ducknercorporate shill
4xx codes don't actually mean "it's your fault", it means the reason why the server couldn't answer the request is because there was something wrong with the request itself. Contrary to 5xx which means the request might have been fine but there was a server problem preventing an answer. So 451 does mean "This request cannot be answered for legal reasons" but without the connotation that this is your fault, unless you want to argue that it's always your fault if a request doesn't work as you made that request, yet it's not your fault that the request may be unlawful, unless you made that law or try to intentionally break it.
Haha thanks for clarifying. You're correct, aka 200 ;). I was being a little "tongue in cheek" in the video and did call out they're used for client errors in the later part. I hope I didn't come across too serious regarding them being "you're fault"!
"I'm a teapot" is so random and unexpected that it's funny.
I had no idea that 418 was used to a legitimate capacity. That somehow makes it even funnier
This is by far the most niche and nerdiest video I have watched this month.
wasnt there also one along the lines of "Server is on fire"
I've spent over a decade thinking that http stood for "head to the page" and https meant "head to the pages".
I also thought that websites starting with http instead of https were older and less stable (which might have a grain of truth, I don't know).
...So. Apparently I don't know as much about the thing that I use every day as I thought.
The s in https stands for secure, and just means that the data being sent with the packet is encrypted. Though http sites are usually older than https, which comes with less stability.
218 makes Apache think he's drunk
418 translates to "i have no idea how to do that", basically.
Now I want to connect an actual teapot to the Internet that does nothing but return 418 codes.
I bet the 420 and 429 Status codes see much more use on Twitter nowadays. 😜
Also, slight tangent. I hate, that some devs will use the 4xx range to define "User"-Errors. ("User" == the poor person sitting in front of the screen, while "Client" == The script/Website itself)
For example, sending 404, when a request was successfull, yet the data, the User requested, does not exits. (Like no Dataset in a DB). That is what 204 is for IMO.
Using 404 in such a scenario makes it unnecessarily difficult to debug and find if that 404 comes from the server being misconfigured or if it is the script just doing its thing.
I agree with you. 204 is much better than 404 if the request was successful but there's no content.
204 is for API paths that, even on success, will never return something because there isn't and never will be anything to return. It has done its job and that job doesn't need to produce any more output than "Done! Everything went well."
404 instead is way better suited for when the client asks for something that doesn't exists but could've existed (eg. the public user profile of a user that doesn't exists, yet).
What you should never do is return 404 (or even 204) when the client asks for a list of things and that list turns out to be empty, because an empty list is still definitely something.
@@qdaniele97 agreed!
@@qdaniele97Aye an empty list should be 200
I think an empty list of the resources should be returned as an empty array with 200. If the resource that exists but has no content, then go with 204. And 404 means the resource is not exists.
GET /users => 200 with empty array []
GET /user/1 => 204 no content
GET /user/9487 => 404 not found
I can't believe they tried to kill 418! I mean it's 2023, the world of IoT is upon us, this is an important, no, *critical* error code for any and all smart teapots!
The only day I am not a teapot is when I enhance my calm on 420.
About the 420 error code and enhance your calm: 420, 4:20 or 4/20 (pronounced four-twenty) is cannabis culture slang for marijuana and hashish consumption, especially smoking around the time 4:20 pm (16:20). It also refers to cannabis-oriented celebrations that take place annually on April 20 (4/20 in U.S. and Canadian date form).
Haha yes. Thank you for explaining it further. 🙏
I came across:
400: Bad Request
403: Forbidden
404: Page Not Found
502: Bad Gateway
So 418 is basically the HTTP-version of "Maam, this is a Wendys"
I always set up webservers to have a 418 route for testing, usually containing “I’m short and stout” in the response page.
man, knowing most 404 messages I see are because someone fudged up the page list on the back end and it's a code blaming me is kinda funny
I use 418 as a chaos monkey, returning it randomly, but now I like 530 better. thank you.
5:50 Wow wth. at the exact moment you mentioned 'Pantheon', I got an ad from heckin' PANTHEON. Before I had never even heard of that company. Scary..............
You need a VPN! Quick! Shame there was no sponsor for the video :sob:
451 be like: "your government is protecting you. Please, do not resist."
502 and 503 are the ones I get a lot of. After all, it's often that servers are hidden behind proxy servers, and it's also often that servers are down for maintenance or simply ddosed.
418 can be useful for users that go to a valid page they're allowed to visit, but they're lacking context to make it useful. Like a generic error page with no parameters.
Every time you mentioned region-locked content or a vpn I *swear* I could start hearing "You may want to check out this video's sponsor-"
Haha! I should have tried harder to find one for the video.
451 can also pop up when an American site doesn't want to get a lil location detector so they could comply with EU's data protection
I want a 486 status code, for people who have abused the server by trying to hack it or other terms of service violations and they are 86ed from the server. And 586 for unauthorized hot linking/scraping from other sites.
🤣
If it's unauthorized why do you need a separate code for it (on top of existing two)?
@@ra2enjoyer708 None of the existing status code provides the information that the server is actively or intentionally refusing the request. The 403 is actually a your papers are expired; and 401 is a request for papers. These are not refusals. Since web apps are more evolved they can be sophisticated enough to determine a condition when the request should be refused; 486 is with an explanation and 586 is without.
The 403 Forbidden
The request contained valid data and was understood by the server, but the server is refusing action. This may be due to the user not having the necessary permissions for a resource or needing an account of some sort, or attempting a prohibited action (e.g. creating a duplicate record where only one is allowed). This code is also typically used if the request provided authentication by answering the WWW-Authenticate header field challenge, but the server did not accept that authentication. The request should not be repeated.
The 401 Unauthorized
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource
Some sites incorrectly issue HTTP 401 when an IP address is banned from the website (usually the website domain) and that specific address is refused permission to access a website.
----
If a page such as (consider twitter or youtube as a example), Explicitly forbidden because the account violated TOS. a 403 does not convey the information the page is removed because of TOS .... and after a 403 the requests keep coming with modifications (different papers) to the request. Another use case would be for any file that begins with a dot (.htaccess being an example but there are other dot files which should never be delivered with intent); A 486 would indicate the content is blocked by intent ... a firewall can then be alerted by the 486 status code and if too many requests are 486 from the same IP that IP can be blocked (86ed) for a period of time.
The only 451 content blocked is to specific to legal not TOS. A 486 conveys in a humorous way a general URL is known but, (don't need to try differently), it is not going to be provided.
---
None of the 5XX codes suggest the server is unwilling to deliver the page they all say or suggest the server is unable or does not know how to deliver the page. The practical difference between the 4XX and 5XX is 4XX provides and explanation (body) that can appear in the browser, telling the user what is wrong; And, The 5XX is just the code and thus becomes more useful for applications that are using the internet, as the server does not take time to create a body.
503 Service Unavailable is [(The server cannot handle the request (because it is overloaded or down for maintenance)]
A request for a login from a remote site or a bot may be by intention, (or terms of service), be blocked or requests for URLs used to transfer user information, (such as a request for webRTC details to connect to a peer system, which has not accepted the request to connect). A code of 586 represents, the server understands the request and is intentionally saying no. And again to many 586 responses alerts the firewall to 86 the IP address.
So the X86 codes I would like are more of a (you are scaring the server and stop it or you will get blocked), or (that page/user is was removed not 410 they can appeal).
---
Regarding leaking a heads up to black hats. The black hats will know when they get 86ed by the firewall. The X86 codes alert the software application which may have inadvertently made a request to an X86 page that it needs to stop requesting that URL until things are resolved. Maybe the blackhats will get the clue that the door is locked and look else where for an unlocked door, if not they get 86ed and need to use a different IP address.
I think 486 would be a good code choice for indicating an outdated browser, which won't be served. (IE: IE) 😉
@@thomasbonse 426 already exists for that
There is one game I played once where if you managed to trigger a 420 error code you would get some bonuses. It was quite cool, but I only could get it to work once
The other day I was looking all the http response statuses on MDN Docs and encountered that 418 code. I couldn't believe it
It's really such a little gem in the tech universe
2:04 sounds like you made a segue to a sponsor but forgot to actually put it in :D
Haha. It was such a perfect segue but alas no sponsorship for this video.
To quote Mozilla Docs, "418 I'm a teapot
The server refuses the attempt to brew coffee with a teapot."
LOL it's so much of a joke that the official definition is literally your explanation.
599: I am currently on fire (CPU overheating)
twitter is now really gonna use the 420 status code.
They need to reimplement it 🤣
Funnily enough one of the groups I was in at work was named after the 404 error. The one I'm in now is 418. I named them both.
I was once downloading like 20 songs from Newgrounds and after 7 songs, I recieved this message.
"Error Code: 420 - Enhance Your Calm"
When you said VPN, I thought "great another add for a vpn disguised as informative"
At 2:06 I instinctively fast forwarded because I thought a vpn ad was coming....
Hahah I should have filled it with something else.
418 Im A Teapot should be renamed to "Sir, this is a Wendy's"
hah. coincidentally, at work i've used status code 451 in a project where I forced our partners to sign some legal documents to keep using our services
Joke RFCs are one of the reasons this field is so fun to be a part of. Making everything all business all the time is pointless. It's okay to laugh a little!
I agree!
418 is in the MDN web docs, so that makes it pretty official if you ask me
The total lack of a VPN sponsor on this video in the 451 segment got me to straight-up laugh. I'm SURE that was an intentional joke, right?
😅. I definitely wrote it in hopes that one would land in my inbox, but alas.
In hindsight I should have played on it more! 🤣
Was definitely a bit psyched out that 418 wasn't in the list until the end haha
Haha sorry that I had you worried for a second! No list would be complete without it :)
I somewhat often get a 400 error code when logging into my Goggle account (which I do very often due to switching operating systems and devices every week or so). I find it very funny how they frame the error: "400. That's an error. The server cannot process the request because it is malformed. It should not be retried. That's all we know."
418 should just be called “You’re doing it wrong”
Please can you make a video about IP over Avian Carriers (IPoAC). Homing pigeons carrying internet traffic has to be one of the weirdest forms of Internet Protocol.
I'm reading the RFC now!
I've used 418 before as an Easter egg api call because I found it amusing
Oddly enough, I think I have configured servers to return all of these at one point or another.
420 is useful when you have more than one rate limiting scheme
218 is a snarky way to tell your API user to RTFM after making your service capable of handling that specific malformed request. Legacy systems that yours is not quite a drop in replacement for are usually involved.
530 is not completely unique to Pantheon, if you encounter it in the wild it is either someone that did not pay a bill, or more likely an error case that needs communicated in as few bits as possible to some particular client and so the dev co-opted a status code just legit enough that it won't raise any alarm bells with draconian network managers but weird enough that nobody is going to complain they can't use it for a "legitimate" purpose.
As for 418, see 218. I see that you are hitting my service with code you wrote for that other API. This is not a drop-in replacement, and I have not hacked in an adapter that works for your use case.
Great video with pleasant pacing. Hope to see more like it !
I feel like a pavlovian dog after I have watched so much youtube, cause after, you recomended to use a vpn my finger was ready to scroll in the video as i was sure there was coming an ad segment haha.
🤣🤣 sorry about that
I actually used a 451 for all IPs connecting afew months ago while i was working on removing some resources i had realized were not legal to share online. Later changed it to a 410 and then afew weeks later 404
When you said "530 site frozen" UA-cam buffered for a second
🤣 What fantastic timing.
Meanwhile the teapot bait and switched me from thinking I'd get the 410 Gone.
It's very rare but a bit chilling when you get that one ("the resource is gone, stop asking").
Iirc some call center dialers staff considered a 410 on voip line calls a "customer cancelled their line".
You're right! 410 Gone is rather chilling when you think about it.
I remember once being shown the HTTP messages using a "Give me coffee" request analogy. IIRC it went as follows:
200: Here's your coffee. (OK)
400: Covfefe? (bad request)
401: I don't know if I can serve you coffee. (Unauthorized)
402: $3.50 please (Payment required)
403: You can't have coffee. (Forbidden)
404: We're out of coffee. Try again later.
410: We don't sell coffee anymore. (Gone)
418: Here's your tea. (Teapot)
450: Aren't you too young for coffee? (Parental Control)
Last time I saw a 410 in the wild the person in question was claiming they were being censored and trying to reach their profile page actually got you a plain "410 Gone | nginx" page instead of the usual "this profile isn't available/doesn't exist".
100: Any cream or sugar?
300: Try this place down the street.
451: We don't use "the C-word" around here.
I knew most of these existed, but not their origins. Thanks!
A fun one I saw recently was 402 Payment Required. It came from a service we were using that no longer wanted use to use it.
That's a really fun one!
Error code 420 - Your connection smelled that zaza
🤣🤣🤣
2:05 My hand was cocked and ready to rapidly press "L".
🤣🤣🤣
I had to implement 418 into my smart teapot. best day of my programming career
That's a lot of fun!
This deserves 10 million views.
i love 418 and i use it often for fun
I wonder if modern 3D modelling softwares still have teapot basic primitive like they jokingly did back in the 90's