[thelist] 403 or 404?

Bill Moseley moseley at hank.org
Wed Jun 6 01:25:18 CDT 2007

On Wed, Jun 06, 2007 at 03:07:20PM +1000, Ken Schaefer wrote:
> >>Minimizing the attack surface is a legitimate reason to return a 404;
> >>it's "Not Found" /within the scope of the user's rights/.
> This doesn't minimize any attack surface. It's purely "security through
> obscurity", which isn't real security. Obscurity is good - you just can't
> rely on it.

This isn't really a security concern in this case (they ain't getting
at the object no matter which code I return!!).

I do think there's good case for 404, because from the user's
point of view the object just doesn't exist for them.

It's a bit less clear what the appropriate action is if the object id
is in a hidden field.  That would mean that

    1) the object was valid, but not longer is valid
    2) the hidden field was altered by the user
    3) application is buggy

That might be worthy of a 500 error.

> I thought we were all semantic purists here? How many times have I heard
> stuff about "standards compliant rah, rah"? :-)

Well 404 is permitted by the RFC.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list