There are some cases where an API response must not include content in the response body:
- If the operation is HEAD, then for any response code (200, 204, …) the API must not send a message body in the response.
OR - For any API operation (i.e. not just HEAD), when the response code is 204 or 304 then the API again must not send a message body in the response.
These rules come from RFC 7231 and 7232 and are enforced by API Security Audit, which checks to ensure your API definition is valid and compliant to the relevant specifications.
The guidance provided in the API Security Audit report includes links to the specific parts of the relevant RFC docs.
Example of an incorrect API definition:
The RFC section highlighted in the API Security Audit report:
The corrected definition for the API HEAD operation:
