What is the best HTTP Status Code to use if the server detects that the query string of an URI has been tampered with by the Client?
It's important to know what the nature is of the tampering. If you simply want to forbid people from accessing certain urls,
403 is often the most appropriate.
But there may be something more specific.
Let's say we have a collection of some sort and the items can be accessed via some identifier (.../collection/1). Now let's assume that a user can access the items with identifier between 1 and 100 using a GUI with buttons for instance that sets up the rest call, but not for identifiers > 100. Now if a user manipulates the HTML and the request in the browser and tries to access an item with id = 200, what status code is most appropriate to return?
/collection/101. If the item exists, but the user simply is not allowed to access that item, a
403 is appropriate.
101 is never accessible by anyone, because for example
101 is actually accessed via
404 status code is the most appropriate.
/collection/101 is not accessible, because the server has a 'state' that needs to change or be resolved first. This state can be resolved by the user, and is not an access-control issue, a
409 may be appropriate. But I'd say that usually this is not appropriate for requests such as
The way you describe it, it sounds more like a permission issue. So then
403 is an easy choice.