[thelist] 403 or 404?
Hassan Schroeder
hassan.schroeder at gmail.com
Wed Jun 6 00:02:32 CDT 2007
On 6/5/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> 404 = Object Not Found
> 403 = Access Denied
>
> So the question you need to ask yourself - if someone is accessing a resource
> they are not authorized to view, is that "Access Denied"? or "Object Not
> Found"? Sounds like the former to me.
>From a security perspective, you may not want to allow people to
confirm the existence of things they're not authorized to access.
Minimizing the attack surface is a legitimate reason to return a 404;
it's "Not Found" /within the scope of the user's rights/.
YMMV,
--
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com
More information about the thelist
mailing list