[thelist] 403 or 404?
Stephen Rider
evolt_org at striderweb.com
Wed Jun 6 09:39:31 CDT 2007
On Jun 6, 2007, at 9:20 AM, patrick wrote:
> Stephen Rider wrote:
>> If the person is not logged in at all, they get a 30x redirect to a
>> "Please log in" page.
>>
>> IF they are logged in and try to access something they don't have
>> rights to, they get a 404 page that says something noncommittal such
>> as "The page was not found or you don't have access."
>
> Saying this '...you don't have access.' does not do this '...leaves
> the
> obscurity barrier to the hacker'
>
>> That's leaves the obscurity barrier to the hacker, but gives some
>> info to the legit user who made a mistake.
Sure it does. As others have pointed out, any hacker worth his salt
is going to know that 404s are frequently used for access denied
pages, so you're not giving them info they don't have there. What
you ARE doing is preventing them from knowing if the particular
object exists. /object/21 (access denied) gives the exact same
result as /object/36 (doesn't exist) or /object/abc (invalid).
--
Stephen Rider
<http://striderweb.com/>
More information about the thelist
mailing list