[thelist] 403 or 404?
Ken Schaefer
Ken at adOpenStatic.com
Wed Jun 6 09:01:29 CDT 2007
Sure - but "security through obscurity" is not security.
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Moore
Sent: Wednesday, 6 June 2007 11:50 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?
Hi all,
IMHO, you should not tell interlopers any more than they need to know. If you
give detailed error messages each time someone tries to crack your security,
they gain that much knowledge each time.
Everyone with access knows it already. As for everyone else, keep them in the
dark.
Ken
Bill Moseley wrote:
>
>Say I have a web application where someone must be logged in.
>To view an object a user makes a request like:
>
> /object/21
>
>where 21 is the primary key in the object table. If the user *owns*
>object 21 they can view it. If the user does not own the object do
>they get 403 or 404? Kind of seems like a 403.
>
>What if the request is for an id that doesn't exist? Does that make a
>difference?
>
> /object/393928128
>
>I'm thinking 404 in both cases (which I guess is withing the spec).
>
>Would you handle things differently if the object id was part of a
>query string?
>
> /object?id=21
>
>Or in a hidden field in a posted form?
More information about the thelist
mailing list