404 = Object Not Found 403 = Access Denied So the question you need to ask yourself - if someone is accessing a resource they are not authorized to view, is that "Access Denied"? or "Object Not Found"? Sounds like the former to me. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bill Moseley Sent: Wednesday, 6 June 2007 2:23 PM To: thelist at lists.evolt.org Subject: [thelist] 403 or 404? Say I have a web application where someone must be logged in. To view an object a user makes a request like: /object/21 where 21 is the primary key in the object table. If the user *owns* object 21 they can view it. If the user does not own the object do they get 403 or 404? Kind of seems like a 403. What if the request is for an id that doesn't exist? Does that make a difference? /object/393928128 I'm thinking 404 in both cases (which I guess is withing the spec). Would you handle things differently if the object id was part of a query string? /object?id=21 Or in a hidden field in a posted form?