HTTP conventions in Express API endpoints
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:Install this rule for wispbit
Quick Install
Run this one command to automatically install the rule:
curl -fsSL https://wispbit.com/api/install?rule=express-http-conventions | bash
Manual install
1
Copy the rule
---include: *.ts---Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```2
Add the rule into your project
Save the copied content as:
.wispbit/rules/express-http-conventions.mdInstall this rule for Coderabbit
Copy the configuration below and add it to your repository as .coderabbit.yml in your project root.
reviews: path_instructions: - path: "*.ts" instructions: | Ensure that for any new endpoint, the status code is matched with the correct purpose: - Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid) - Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions) - Use `404 Not Found` for resources that don't exist - Use `400 Bad Request` for invalid request parameters - Use `500 Internal Server Error` for server-side errors Bad: ```typescript // Wrong status code for permission error app.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling... }) ``` Good: ```typescript // Correct status codes for different scenarios app.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling... }) ``` Install this rule for Greptile
Greptile rules can be added through the web interface. Please see this documentation for details on how to add custom rules and context.
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```File Path Patterns:
*.ts
Install this rule for GitHub Copilot
Copilot instructions can be added through the interface. See the documentation for details on how to create coding guidelines.
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```File Path Patterns:
*.ts
Install this rule for Graphite Diamond
Diamond custom rules can be added through the interface. See the documentation for details on how to create custom rules.
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```File Path Patterns:
*.ts
Use with Cline
Copy the rule below and ask Cline to review your code using this rule
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```Use with OpenAI Codex
Copy the rule below and ask OpenAI Codex to review your code using this rule
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```Use with Cursor
Copy the rule below and ask Cursor to review your code using this rule
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```Use with Claude Code
Copy the rule below and ask Claude Code to review your code using this rule
Ensure that for any new endpoint, the status code is matched with the correct purpose:- Use `401 Unauthorized` for authentication failures (when credentials are missing or invalid)- Use `403 Forbidden` for authorization failures (when user is authenticated but lacks required permissions)- Use `404 Not Found` for resources that don't exist- Use `400 Bad Request` for invalid request parameters- Use `500 Internal Server Error` for server-side errorsBad:```typescript// Wrong status code for permission errorapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Permission denied" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(401).json({ error: "Permission denied" }) // Wrong code } // Resource handling...})```Good:```typescript// Correct status codes for different scenariosapp.get("/resource", (req: Request, res: Response) => { if (!req.user) { return res.status(401).json({ error: "Authentication required" }) } if (!hasPermission(req.user, "read_resource")) { return res.status(403).json({ error: "Permission denied" }) // Correct code } // Resource handling...})```