A specific status code needs to be selected.
The initial draft suggests one in the 4xx range. That seems to be appropriate given the semantics desired (whether broad or narrow; see #3409).
If that holds, we should select a code that is unregistered and relatively unused.
The next unassigned 4xx status code is 419. No use is documented in MDN or wikipedia, but I see a few resources that mention a single PHP framework is squatting on it to indicate that a session token is expired.
A specific status code needs to be selected.
The initial draft suggests one in the 4xx range. That seems to be appropriate given the semantics desired (whether broad or narrow; see #3409).
If that holds, we should select a code that is unregistered and relatively unused.
The next unassigned 4xx status code is 419. No use is documented in MDN or wikipedia, but I see a few resources that mention a single PHP framework is squatting on it to indicate that a session token is expired.