Use Appropriate HTTP Status Codes

Why this matters

Returning incorrect HTTP status codes can lead to ambiguous API behavior, making it harder for clients to handle responses correctly.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(user); // Noncompliant: Setting 500 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.OK).build(); // Noncompliant: Setting 200 for exception
        }
    }
}

Prefer

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.ok(user); // Compliant: Setting 200 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build(); // Compliant: Setting 500 for exception
        }
    }
}

More snippets

Bad

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(user); // Noncompliant: Setting 500 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.OK).build(); // Noncompliant: Setting 200 for exception
        }
    }
}

Good

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.ok(user); // Compliant: Setting 200 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build(); // Compliant: Setting 500 for exception
        }
    }
}

Related rules

From the same buckets as this rule.

Critical

Check consent and role-based authorization before returning ePHI

Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

compliance-hipaasecurity-hardening+2

Critical

Children's data: verify age and parental consent

If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.

compliance-lgpdapi-conventions+1

Critical

Disallow public ingress without explicit allowlist

For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.

infra-as-codesecurity-hardening+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(user); // Noncompliant: Setting 500 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.OK).build(); // Noncompliant: Setting 200 for exception
        }
    }
}

Prefer

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.ok(user); // Compliant: Setting 200 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build(); // Compliant: Setting 500 for exception
        }
    }
}

More snippets

Bad

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(user); // Noncompliant: Setting 500 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.OK).build(); // Noncompliant: Setting 200 for exception
        }
    }
}

Good

@Controller
public class UserController {
    public ResponseEntity<User> getUserById(Long userId) {
        try {
            User user = userService.getUserById(userId);
            return ResponseEntity.ok(user); // Compliant: Setting 200 for a successful operation
        } catch (Exception e) {
            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build(); // Compliant: Setting 500 for exception
        }
    }
}

Related rules

From the same buckets as this rule.

Critical

Check consent and role-based authorization before returning ePHI

Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.

compliance-hipaasecurity-hardening+2

Critical

Children's data: verify age and parental consent

If data subject is a child/adolescent, require age verification and parental/legal guardian consent prior to processing; deny processing otherwise and do not store the payload.

compliance-lgpdapi-conventions+1

Critical

Disallow public ingress without explicit allowlist

For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.

infra-as-codesecurity-hardening+1