You are reading an archived post from the first version of my blog. I've started fresh, and the new design and content is now at

The Case of the Missing Defensive Design

July 9, 2004

Defensive Design encompasses a lot of key principles — one of which is rescuing users when errors occur. The guys at 37signals write:

Guideline 16:
Offer customized “Page not found” error pages

Great advice — Hopefully in the next edition, we can see it expand to include other error pages as well. Here’s why I hope so…

What follows is a real email exchange that was started when a person filled out the contact form over at The name of the other party has been changed to protect the innocent.

Subject: Consulting Request from web site
I filled out all questions and applied for the refund of the purchase of my HP Pavilion a520n. When pressing continue, I was told the page is forbidden for me. What is wrong and can you orrect it? Please answer over my e-mail. Letter with all documentation will go out on Monday,June 28, 2004. Purchase was done on the 17th of June 2004.

OK, I’m confused. This doesn’t make sense to me at all. Then I receive a phone call from the person as well. Turns out this person is local to Ottawa.

Hi XXXX — I received your telephone message as well — Quite honestly I’m not sure what computer you are referring to. We are not in the business of selling computers, and to my knowledge you aren’t one of our existing clients. Did someone suggest you contact us?

Sorry for the confusion, but I’m just rying to understand what has happened here…

Best regards,

Their response:

Thank you for the prompt reply. I referred to the refund of $50.oo on a new computer I bought. I filled out all the questions but the when I clicked continue I received the message: the page cannot be displayed. Then the message : You are not authorized to view this page. All I did followed all instruction to register for my refund, which papers will all go out Monday by mail. Thanks

Hmmm. That’s interesting. Better reply again.

Hi again, XXXX. What I don’t understand is why you are contacting me about the refund for your computer? I didn’t sell you the computer, so I’m not sure how I can help you.

Sorry, but I am very confused as to why you have contacted me, or how you knew my name and phone number.


So now I’m really curious. Then I start checking our referrer logs to see if I can see when things happened. Right… there’s the POST of the contact form at 3:19pm, just like in the message. The IP address is also local. Here’s what brought them to our site: a search for http error 403 via MSN search

I see what has happened…


I just wanted to follow up on our email conversation — to make sure you found the right people. You had written me asking about your computer and returning it, and I had replied that I wasn’t sure what you were talking about. I think I may have figured out what happened.

When something goes wrong on a web page, quite often errors occur and they tell your computer that something wasn’t quite right (in your case, I believe you said there was a “forbidden” error). I expect that what happened was that when you searched for the error message, you came across our site where we list these common error/status codes for reference for other web developers and designers.

I believe that is how you came across our site, and then submitted our contact form which came to me. Does that sound like what happened?

I’m hoping that you managed to get things sorted out with the computer and the company you bought it from!!

Best regards – hope you are well…

I start looking around our referrer logs some more. Turns out our resource page on HTTP Error/Status Codes gets quite a bit of traffic.

There’s loads in there. Perhaps the next message I send should be to the company from which this person bought their computer – I’ll include a link to buy a copy of Defensive Design.

Defensive Design goes beyond 404 error pages. Make sure that when you are building sites that require HTTP Authentication or SSL, that you provide some error documents for those points of failure as well…

Now, if you’ll excuse me, I am off to figure out how many places I need to add ErrorDocument directives in my .htaccess files…

Filed under:

2 Responses

Comment by Christian — Jul 09 2004 @ 9:57 am

Nice piece of detective work! It’s stories like this that remind me what a confusing place the web is for some people, and how we, as web designers, must throw our assumptions and expectations out the window when it comes to thinking about how people might use the sites we build.

Comment by feather — Jul 11 2004 @ 10:16 am

It's stories like this that remind me what a confusing place the web is for some people, and how we, as web designers, must throw our assumptions and expectations out the window when it comes to thinking about how people might use the sites we build.

Indeed, Christian. One thing we often seem to forget is that all of our users have “coping mechanisms” to help them in their Muddling Through. Where do people turn when something goes wrong? It depends on what you’ve provided them — if you provide nothing, they may search. How many times do you find your full web address in your search engine referrer logs?

I also find it interesting that in this case the lack of error documents or contingency design on the part of the company may not actually impact the company – rather, had an impact on me. Admittedly it wasn’t much impact, but the point still stands. I don’t even want to think how it will go if I actually had to respond to more of these types of queries…