What should the HTTP response be when the resource is forbidden but there's an alternate resource?

Question

If I have a resource that a requesting client doesn't have access to but I want to notify them about an alternate resource for which they do have access, should I send them a 403 Forbidden with the alternate resource's URI in the header or content? Or should I just send a 303 See Other redirect to the resource to which they have access?

Answer 1

http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

I'd presume you're looking for something in the 300 family. An automatic redirect seems a lot more friendly than a 403.

Plus, a 403 makes the object look interesting, and may invite more probing.

Answer 2

There is no HTTP code for "forbidden but have a look at this".

You can, however, customize your 403 error page so that a link to the alternative content is present. If you have multiple alternative links you might find this solution better.

If notifying the user that access is denied is not that important you might want to use a 302 (temporary redirect) instead or, if the user will never have access to the forbidden content, a 301 (permanent redirect).

Answer 3

If a human sees the error page, it doesn't really matter what code you choose; if there's a human-readable error message; people will ignore the code.

The question is what do you want a machine to do? Do you want a machine to automatically redirect to the alternative content under any circumstances? If there's a legitimate reason for someone to fetch pages from your site programmatically, should they get the alternative content in this case? Or if someone's using a caching proxy server, would you ever want it to automatically redirect?

If you don't ever want it to automatically redirect in those circumstances, then 403 is the right answer. If you'd prefer that people get the right content and only really curious users would care that the original content was forbidden, then a 301 or 302 would make more sense.