[thelist] 403 or 404?

Ken Moore psm2713 at hotmail.com
Wed Jun 6 08:49:44 CDT 2007

Hi all,

IMHO, you should not tell interlopers any more than they need to know. If 
you give detailed error messages each time someone tries to crack your 
security, they gain that much knowledge each time.

Everyone with access knows it already. As for everyone else, keep them in 
the dark.


Bill Moseley wrote:
>Say I have a web application where someone must be logged in.
>To view an object a user makes a request like:
>     /object/21
>where 21 is the primary key in the object table.  If the user *owns*
>object 21 they can view it.  If the user does not own the object do
>they get 403 or 404?  Kind of seems like a 403.
>What if the request is for an id that doesn't exist?  Does that make a
>     /object/393928128
>I'm thinking 404 in both cases (which I guess is withing the spec).
>Would you handle things differently if the object id was
>part of a query string?
>     /object?id=21
>Or in a hidden field in a posted form?
>Bill Moseley
>moseley at hank.org

PC Magazine’s 2007 editors’ choice for best Web mail—award-winning Windows 
Live Hotmail. 

More information about the thelist mailing list