Misleading 428 HTTP Status Code

[moay]

Today I ran into an issue that caused a real headache and cost several hours. When deploying our project to a server, everything seemed to work fine, but when our form was included using an iframe, we got a 428 precondition required http error when getting the captcha image. No one ever encountered that server status, we had a lot of research to do.

In the end, we figured out that there actually was no precondition required and that the error is completely unrelated (in our case, the session cookie is not properly sent to the server on the image request, still figuring out why). The 428 is willingly thrown in the CaptchaController (https://github.com/Gregwar/CaptchaBundle/blob/master/Controller/CaptchaController.php#L76), but is misleading and not the correct status code to return here.

The definition of 428: The HTTP 428 Precondition Required response status code indicates that the server requires the request to be conditional. (taken from https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/428).

The error method is used to indicate that the session is not OK. It has nothing to do with request structure, If-Match headers or anything that should be causing a 428.

Solution: The correct status code for this issue should be 400, additionally, there shouldn't be an empty image but an error message indicating the problem (or an exception or something else in the logs).