[thelist] 403 or 404?

patrick pms at stoutstreet.com
Wed Jun 6 09:53:22 CDT 2007


Stephen Rider wrote:
> On Jun 6, 2007, at 9:20 AM, patrick wrote:
> 
>> Stephen Rider wrote:
>>> If the person is not logged in at all, they get a 30x redirect to a
>>> "Please log in" page.
>>>
>>> IF they are logged in and try to access something they don't have
>>> rights to, they get a 404 page that says something noncommittal such
>>> as "The page was not found or you don't have access."
>> Saying this '...you don't have access.' does not do this '...leaves  
>> the
>> obscurity barrier to the hacker'
>>
>>> That's leaves the obscurity barrier to the hacker, but gives some
>>> info to the legit user who made a mistake.
> 
> Sure it does.  As others have pointed out, any hacker worth his salt  
> is going to know that 404s are frequently used for access denied  
> pages, so you're not giving them info they don't have there.  What  
> you ARE doing is preventing them from knowing if the particular  
> object exists.  /object/21 (access denied) gives the exact same  
> result as /object/36 (doesn't exist) or /object/abc (invalid).
> 

But you said
 >>> as "The page was not found or you don't have access."

OR YOU DON'T HAVE ACCESS. Why add this? Just use a 404 and leave it at 
that. Why say any more? Saying
	'you don't have access'
is telling the hackers who AREN'T worth their salt
	'hey fella, keep going. There might be goodies here'
	


-- 

patrick sanders
http://www.stoutstreet.com
web sites that fit



More information about the thelist mailing list