[thelist] 403 or 404?

Ken Schaefer Ken at adOpenStatic.com
Wed Jun 6 09:01:29 CDT 2007

Sure - but "security through obscurity" is not security.


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Moore
Sent: Wednesday, 6 June 2007 11:50 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] 403 or 404?

Hi all,

IMHO, you should not tell interlopers any more than they need to know. If you
give detailed error messages each time someone tries to crack your security,
they gain that much knowledge each time.

Everyone with access knows it already. As for everyone else, keep them in the


Bill Moseley wrote:
>Say I have a web application where someone must be logged in.
>To view an object a user makes a request like:
>     /object/21
>where 21 is the primary key in the object table.  If the user *owns* 
>object 21 they can view it.  If the user does not own the object do 
>they get 403 or 404?  Kind of seems like a 403.
>What if the request is for an id that doesn't exist?  Does that make a 
>     /object/393928128
>I'm thinking 404 in both cases (which I guess is withing the spec).
>Would you handle things differently if the object id was part of a 
>query string?
>     /object?id=21
>Or in a hidden field in a posted form?

More information about the thelist mailing list