I'm wondering how a 404 or a 403 would be helpful ... Is the logging reason the main one? You could still get the logging information in your application log while reporting a 200 OK or using a 3xx redirect. FYI, there's no difference between a 404 from a Web server I'm not sure how the "security through obscurity" argument is helpful. Trying to apply it in this case is a broad interpretation of the phrase. Following that logic, these would also be examples of security through obscurity: * A firewall config that drops unauthorized packets instead of rejects them. * Hiding your passwords in shadow instead of passwd.