[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Wed Jun 6 23:14:00 CDT 2007



-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of jenny w
Sent: Thursday, 7 June 2007 4:27 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?

> I'm wondering how a 404 or a 403 would be helpful ... Is the logging
> reason the main one? You could still get the logging information in
> your application log while reporting a 200 OK or using a 3xx redirect.

If your webserver logs whatever status you are sending back to the client,
then you can't (from the logged status) determine which 200s were legitimate
request that succeeded, and which were requests which were rejected
successfully.

> FYI, there's no difference between a 404 from a Web server

Can you please include the actual text that you are replying to, so that the
rest of us have some idea of what the conversation flow is here? It's
probably obvious to you (since you are the one replying), but not so obvious
to us.

> I'm not sure how the "security through obscurity" argument is helpful.
> Trying to apply it in this case is a broad interpretation of the
> phrase.

Huh? This is a classic example of "security through obscurity". The security
of the system depends entirely upon some code that OP has written (or is
using). Whether that code returns a particular HTTP status does nothing to
improve or further secure the resource. If the code has an implementation
flaw that allows unauthorized persons access, then the HTTP status code does
nothing what-so-ever. 

All we are doing by returning 404s is burying the legitimate URLs in amongst
the infinite possible URLs that do not exist. That's "obscurity" (which isn't
a bad thing - you just can't *rely* on it to keep your asset secure).

Cheers
Ken



 Following that logic, these would also be examples of security
through obscurity:

* A firewall config that drops unauthorized packets instead of rejects them.

* Hiding your passwords in shadow instead of passwd.
 



More information about the thelist mailing list