I came across the section on HTTP status codes, and while I think I understand the author's intent, I’d like to offer a different perspective.
The standardized HTTP status codes maintained by IANA have been in use for over 30 years alongside the HTTP application layer protocol and are a fundamental part of web development. By adhering to these well-established standards, we can significantly reduce cognitive load rather than increase it. These codes are intuitive and easy to grasp—just by glancing at the first digit of the code, we can instantly infer whether the issue lies on the client side (4xx) or server side (5xx), and I'm intentionally omitting the whole aspect of machine-readable replies.
For example, compare the clarity of a standard 400 Bad Request with a hypothetical custom error code like invalid_data_sent_over_http_due_to_unsupported_field_format returned alongside a 200 OK or 500 Internal Server Error code. The former communicates the issue succinctly and universally, while the latter requires additional time and effort to read, parse, and comprehend—time that could be better spent resolving the issue. Not to mention the erroneous state of "correct" or "an error" response indicated by the generic status codes.
Custom, human-readable error codes do have their place, especially when they provide detailed, application-specific context about an issue. However, these should be used as supplementary indicators alongside the HTTP status code rather than replacing it, assuming the communication is happening over HTTP. This approach retains the benefits of a standardized system while adding domain-specific details where necessary, and it is known as Problem Details for HTTP APIs. It was proposed nearly ten years ago as RFC 7807 standard, later superseded by RFC 9457. There are existing implementations in many popular languages.
Standards like HTTP status codes and the Problem Details for HTTP APIs are part of the shared domain knowledge anyone working with HTTP APIs ought to know. Suggesting that such an engineer, regardless if it is a frontend or QA engineer, might struggle to interpret them points to a need for better onboarding or education, rather than a flaw in the standards themselves. Proficiency with such conventions is an essential skill in the industry and promotes interoperability and collaboration across teams.
Customizing systems to suit specific needs is important, but it’s equally crucial to strike a balance by leveraging decades of proven, standardized practices. By using HTTP status codes as a baseline and supplementing them with additional, human-readable error codes, for example, using the Problem Details, we can create systems that are both user-friendly, robust and require a lower cognitive load to grasp.
P.S. The difference between 401 and 403, as well as authentication and authorization, is not a nuance buried deep in some company ADRs, open for interpretation. The 401 response is defined, for example, as part of the RFC 7235 (of course, it is also defined in the original 2068) and can be simplified as "credentials are missing or are invalid". In contrast, 403 means the credentials are present and valid but inadequate (to access the requested resource). There is little to no left to argue about this. Unless we disregard those standards.
I hope this perspective adds to the discussion!
I came across the section on HTTP status codes, and while I think I understand the author's intent, I’d like to offer a different perspective.
The standardized HTTP status codes maintained by IANA have been in use for over 30 years alongside the HTTP application layer protocol and are a fundamental part of web development. By adhering to these well-established standards, we can significantly reduce cognitive load rather than increase it. These codes are intuitive and easy to grasp—just by glancing at the first digit of the code, we can instantly infer whether the issue lies on the client side (4xx) or server side (5xx), and I'm intentionally omitting the whole aspect of machine-readable replies.
For example, compare the clarity of a standard 400 Bad Request with a hypothetical custom error code like
invalid_data_sent_over_http_due_to_unsupported_field_formatreturned alongside a200 OKor500 Internal Server Errorcode. The former communicates the issue succinctly and universally, while the latter requires additional time and effort to read, parse, and comprehend—time that could be better spent resolving the issue. Not to mention the erroneous state of "correct" or "an error" response indicated by the generic status codes.Custom, human-readable error codes do have their place, especially when they provide detailed, application-specific context about an issue. However, these should be used as supplementary indicators alongside the HTTP status code rather than replacing it, assuming the communication is happening over HTTP. This approach retains the benefits of a standardized system while adding domain-specific details where necessary, and it is known as Problem Details for HTTP APIs. It was proposed nearly ten years ago as RFC 7807 standard, later superseded by RFC 9457. There are existing implementations in many popular languages.
Standards like HTTP status codes and the Problem Details for HTTP APIs are part of the shared domain knowledge anyone working with HTTP APIs ought to know. Suggesting that such an engineer, regardless if it is a frontend or QA engineer, might struggle to interpret them points to a need for better onboarding or education, rather than a flaw in the standards themselves. Proficiency with such conventions is an essential skill in the industry and promotes interoperability and collaboration across teams.
Customizing systems to suit specific needs is important, but it’s equally crucial to strike a balance by leveraging decades of proven, standardized practices. By using HTTP status codes as a baseline and supplementing them with additional, human-readable error codes, for example, using the Problem Details, we can create systems that are both user-friendly, robust and require a lower cognitive load to grasp.
P.S. The difference between 401 and 403, as well as authentication and authorization, is not a nuance buried deep in some company ADRs, open for interpretation. The 401 response is defined, for example, as part of the RFC 7235 (of course, it is also defined in the original 2068) and can be simplified as "credentials are missing or are invalid". In contrast, 403 means the credentials are present and valid but inadequate (to access the requested resource). There is little to no left to argue about this. Unless we disregard those standards.
I hope this perspective adds to the discussion!