Forcing 412 Precondition Failed
Per RFC 9110 §13.1.1, if the If-Match value doesn't match any current representation's ETag, the server MUST return 412.
Mechanism: Per RFC 9110 §13.1.1, if the If-Match value doesn't match any current representation's ETag, the server MUST return 412. The server must locate the resource to compare ETags.
Isolated Variable: Only the If-Match header is added with a fabricated ETag value.
Oracle Signal: 412 (exists) vs 404 (does not exist).
PUT — Existing Resource
PUT /api/users/1001 HTTP/1.1
Host: target.com
Content-Type: application/json
If-Match: "bogus-etag-value"
Content-Length: 27
{"name": "test", "age": 30}
HTTP/1.1 412 Precondition Failed
Content-Type: application/json
{"error": "Precondition Failed", "detail": "ETag mismatch"}PUT — Non-Existing Resource
PUT /api/users/9999 HTTP/1.1
Host: target.com
Content-Type: application/json
If-Match: "bogus-etag-value"
Content-Length: 27
{"name": "test", "age": 30}
HTTP/1.1 404 Not Found
Content-Type: application/json
{"error": "Not Found"}💡 Wildcard variant (
If-Match: *):*matches any current representation, so an existing resource passes and the server attempts the operation. A non-existing resource returns412. The successful branch mutates state — use fabricated ETags to avoid unintended writes.
Mitigation: Return 404 for non-existent resources before evaluating precondition headers.
Forcing 409 Uniqueness Constraint
Per RFC 9110 §15.5.10, attempting to update a resource with a field value that must be unique but already exists in another record triggers 409.
Forcing 413 Content Too Large
Per RFC 9110 §15.5.14, if the application enforces size limits after resolving the resource, existing resources return 413 while non-existing ones return 404.