[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Wed Jun 6 00:07:20 CDT 2007

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder
Sent: Wednesday, 6 June 2007 3:03 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?

On 6/5/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
>> 404 = Object Not Found
>> 403 = Access Denied
>> So the question you need to ask yourself - if someone is accessing a
>> they are not authorized to view, is that "Access Denied"? or "Object Not
>> Found"? Sounds like the former to me.
>>From a security perspective, you may not want to allow people to
>>confirm the existence of things they're not authorized to access.

I agree

>>Minimizing the attack surface is a legitimate reason to return a 404;
>>it's "Not Found" /within the scope of the user's rights/.

This doesn't minimize any attack surface. It's purely "security through
obscurity", which isn't real security. Obscurity is good - you just can't
rely on it.

I thought we were all semantic purists here? How many times have I heard
stuff about "standards compliant rah, rah"? :-)


More information about the thelist mailing list