[thelist] 403 or 404?

Lee Kowalkowski lee.kowalkowski at googlemail.com
Wed Jun 6 03:53:40 CDT 2007


On 06/06/07, Hassan Schroeder <hassan.schroeder at gmail.com> wrote:
> From a security perspective, you may not want to allow people to
> confirm the existence of things they're not authorized to access.
>
> Minimizing the attack surface is a legitimate reason to return a 404;
> it's "Not Found" /within the scope of the user's rights/.

>From a developer's point of view, a 403 is a godsend, because
immediately one thinks "oh yeah, I forgot to authenticate" or
whatever.

I think a hacker is in a different mindset and already knows not to
take 404's on face value, they'd soon catch on to a 404 ploy.

-- 
Lee



More information about the thelist mailing list