Currently, when calling non-existent API methods (e.g. api/NonExistentMethod), the API returns a 200 OK status code instead of the expected 404 Not Found. This happens because the catch-all route /api/[{params:.*}] in apiroutes.php processes all requests, even invalid ones.
Why this matters:
-
API security tools and firewalls rely on proper HTTP status codes for threat detection
-
Third-party API monitoring tools need accurate status codes for error reporting
-
Client applications cannot properly distinguish between valid and invalid endpoints
-
It violates REST API best practices which require 404 responses for non-existent resources
Proposed solution in apiroutes.php:
$app->any('/api/[{params:.*}]', function ($request, $response) {
throw new HttpNotFoundException($request);
})
->add(JwtMiddleware::class)
->setName("catchall");
This simple change ensures:
-
Proper 404 responses for non-existent endpoints
-
Better integration with API security tools
-
Accurate error reporting in monitoring systems
-
Compliance with REST API standards
The implementation is minimal and maintains all existing functionality including JWT authentication.