[thelist] 403 or 404?
Ken Schaefer
Ken at adOpenStatic.com
Wed Jun 6 00:07:20 CDT 2007
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder
Sent: Wednesday, 6 June 2007 3:03 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?
On 6/5/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
>> 404 = Object Not Found
>> 403 = Access Denied
>>
>> So the question you need to ask yourself - if someone is accessing a
resource
>> they are not authorized to view, is that "Access Denied"? or "Object Not
>> Found"? Sounds like the former to me.
>>
>>From a security perspective, you may not want to allow people to
>>confirm the existence of things they're not authorized to access.
I agree
>>
>>Minimizing the attack surface is a legitimate reason to return a 404;
>>it's "Not Found" /within the scope of the user's rights/.
This doesn't minimize any attack surface. It's purely "security through
obscurity", which isn't real security. Obscurity is good - you just can't
rely on it.
I thought we were all semantic purists here? How many times have I heard
stuff about "standards compliant rah, rah"? :-)
Cheers
Ken
More information about the thelist
mailing list