[thelist] 403 or 404?

Stephen Rider evolt_org at striderweb.com
Wed Jun 6 09:39:31 CDT 2007

On Jun 6, 2007, at 9:20 AM, patrick wrote:

> Stephen Rider wrote:
>> If the person is not logged in at all, they get a 30x redirect to a
>> "Please log in" page.
>> IF they are logged in and try to access something they don't have
>> rights to, they get a 404 page that says something noncommittal such
>> as "The page was not found or you don't have access."
> Saying this '...you don't have access.' does not do this '...leaves  
> the
> obscurity barrier to the hacker'
>> That's leaves the obscurity barrier to the hacker, but gives some
>> info to the legit user who made a mistake.

Sure it does.  As others have pointed out, any hacker worth his salt  
is going to know that 404s are frequently used for access denied  
pages, so you're not giving them info they don't have there.  What  
you ARE doing is preventing them from knowing if the particular  
object exists.  /object/21 (access denied) gives the exact same  
result as /object/36 (doesn't exist) or /object/abc (invalid).

Stephen Rider

More information about the thelist mailing list