Outline If the accept: application/json heading is missing then a HTML page is returned.
Expected Behaviour
This does not seem right to me, I would expect that where possible the the response should fail safe. Currently json is the only response type supported so could be returned by default.
Otherwise if a tight interface is required then a 406 : Request Not Acceptable or HTTP 400 Bad Request should be returned.
Results in the following, which also leaks potentially risky information about the system.
Bad Request
Error: The requested address '/api/accounting_entries' was not found on this server.
Stack Trace
APP/Vendor/cakephp/cakephp/lib/Cake/Event/CakeEventManager.php line 243 → AppController->beforeFilter(CakeEvent)
APP/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php line 677 → CakeEventManager->dispatch(CakeEvent)
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 189 → Controller->startupProcess()
APP/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php line 167 → Dispatcher->_invoke(AccountingEntriesController, CakeRequest)
APP/webroot/index.php line 117 → Dispatcher->dispatch(CakeRequest, CakeResponse)
Outline If the
accept: application/json
heading is missing then a HTML page is returned.Expected Behaviour This does not seem right to me, I would expect that where possible the the response should fail safe. Currently json is the only response type supported so could be returned by default. Otherwise if a tight interface is required then a 406 : Request Not Acceptable or HTTP 400 Bad Request should be returned.
Actual Behaviour Given the following request
Results in the following, which also leaks potentially risky information about the system.