[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Tue Jun 5 23:46:58 CDT 2007

404 = Object Not Found
403 = Access Denied

So the question you need to ask yourself - if someone is accessing a resource
they are not authorized to view, is that "Access Denied"? or "Object Not
Found"? Sounds like the former to me.


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bill Moseley
Sent: Wednesday, 6 June 2007 2:23 PM
To: thelist at lists.evolt.org
Subject: [thelist] 403 or 404?

Say I have a web application where someone must be logged in.
To view an object a user makes a request like:


where 21 is the primary key in the object table.  If the user *owns*
object 21 they can view it.  If the user does not own the object do
they get 403 or 404?  Kind of seems like a 403.

What if the request is for an id that doesn't exist?  Does that make a


I'm thinking 404 in both cases (which I guess is withing the spec).

Would you handle things differently if the object id was
part of a query string?


Or in a hidden field in a posted form?


More information about the thelist mailing list