[thelist] 403 or 404?

Hassan Schroeder hassan.schroeder at gmail.com
Wed Jun 6 00:02:32 CDT 2007

On 6/5/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> 404 = Object Not Found
> 403 = Access Denied
> So the question you need to ask yourself - if someone is accessing a resource
> they are not authorized to view, is that "Access Denied"? or "Object Not
> Found"? Sounds like the former to me.

>From a security perspective, you may not want to allow people to
confirm the existence of things they're not authorized to access.

Minimizing the attack surface is a legitimate reason to return a 404;
it's "Not Found" /within the scope of the user's rights/.

Hassan Schroeder ------------------------ hassan.schroeder at gmail.com

More information about the thelist mailing list