Sure - but "security through obscurity" is not security. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Moore Sent: Wednesday, 6 June 2007 11:50 PM To: thelist at lists.evolt.org Subject: Re: [thelist] 403 or 404? Hi all, IMHO, you should not tell interlopers any more than they need to know. If you give detailed error messages each time someone tries to crack your security, they gain that much knowledge each time. Everyone with access knows it already. As for everyone else, keep them in the dark. Ken Bill Moseley wrote: > >Say I have a web application where someone must be logged in. >To view an object a user makes a request like: > > /object/21 > >where 21 is the primary key in the object table. If the user *owns* >object 21 they can view it. If the user does not own the object do >they get 403 or 404? Kind of seems like a 403. > >What if the request is for an id that doesn't exist? Does that make a >difference? > > /object/393928128 > >I'm thinking 404 in both cases (which I guess is withing the spec). > >Would you handle things differently if the object id was part of a >query string? > > /object?id=21 > >Or in a hidden field in a posted form?