[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Wed Jun 6 01:48:10 CDT 2007

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bill Moseley
Sent: Wednesday, 6 June 2007 4:25 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?

On Wed, Jun 06, 2007 at 03:07:20PM +1000, Ken Schaefer wrote:
> >>Minimizing the attack surface is a legitimate reason to return a 404;
> >>it's "Not Found" /within the scope of the user's rights/.
>> This doesn't minimize any attack surface. It's purely "security through
>> obscurity", which isn't real security. Obscurity is good - you just can't
>> rely on it.
>This isn't really a security concern in this case (they ain't getting
>at the object no matter which code I return!!).

What Hassan was trying to point out was that returning 403 means that a user
can fingerprint resources. If, somewhere down the track, there is a flaw in
your security implementation etc, then can quickly get access to the

Hence, obscurity can be good - it raises the bar in terms of the effort
required by an attacker, and may dissuade them from attempting something in
the first place.

> I do think there's good case for 404, because from the user's
> point of view the object just doesn't exist for them.

The object does exist - this particular user is not allowed to access it.
That seems fairly clearly be "Access Denied". The reason to use 404 would be
for reasons that Hassan outlined.

Otherwise, but your argument there is not real need to any 403 error code
anywhere. IP address restriction kicking in? Well, for that banned IP
address, the resource doesn't exist. Send a 404. 


More information about the thelist mailing list