Non-Authoritative Information
Production Risk
Low. It provides transparency about the response's origin. However, ensure the proxy is not inadvertently corrupting the response or removing critical headers.
The server is a transforming proxy that received a 200 OK from its origin, but is returning a modified version of the origin's response. The returned metainformation in the entity-header is not the definitive set as available from the origin server.
- 1A caching proxy modifies a response, for example by converting an image format.
- 2A third-party service that mirrors content returns a response.
- 3A server-side proxy alters the response from an upstream service before forwarding it to the client.
A corporate web proxy that anonymizes user data serves a webpage from an external site.
GET /index.html HTTP/1.1 Host: example.com
expected output
HTTP/1.1 203 Non-Authoritative Information
Fix
Set 203 in a transforming proxy and add a Warning header
// Node.js transforming proxy — mark modified responses with 203
const { createProxyMiddleware } = require('http-proxy-middleware');
app.use('/proxy', createProxyMiddleware({
target: 'https://origin.example.com',
selfHandleResponse: true,
on: {
proxyRes(proxyRes, req, res) {
// Modify the response (e.g. strip sensitive headers)
delete proxyRes.headers['x-internal-token'];
if (proxyRes.statusCode === 200) {
// Signal that this is a modified copy
res.status(203);
res.setHeader('Warning', '214 proxy.example.com "Transformed"');
} else {
res.status(proxyRes.statusCode);
}
proxyRes.pipe(res);
},
},
}));Why this works
203 Non-Authoritative Information is intended for transforming proxies that receive a 200 from the origin but modify the payload before forwarding it. Setting it informs downstream clients and caches that the response is not a verbatim copy of the origin's response. RFC 7234 recommends adding a Warning: 214 header to document the transformation applied.
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev