All geek questions in one place

Access denied: 403 or 404?

What status code should be returned if someone requests access to an object that he is not allowed to see? You will probably say this 403: Forbidden. But is 404 worth returning instead? I do not want anyone to know that this entity even exists if he is not allowed to see it. What do you think?

+5
source share
4 answers

Use 404 Not found.

The 404 status code can also be used in 403 scenarios when the server does not want to return the reason why it refuses to serve the request. A good example is that the server perceives some kind of attack, which may be a brute force attack . In this case, the server responds to 404 Not found instead of 403 Explanation is also prohibited.

Source: ASP.NET Web API Professional Protection

+12
source

Return 403 Forbidden . If you return this for every request, the client is not allowed access, and if you never return 404 Not Found , the client knows nothing.

It all depends on how important this is for you:

I do not want anyone to know that this object exists, even if it is not allowed to see it.

If this is really important, always return 403 Forbidden .

+1
source

Well .. it depends.

If your endpoint URLs show sensitive information (for example, in the Dropbox API, you refer to files by their names and not their identifiers, so the URLs contain file names) or maybe you are using sequential identifiers (for example, ascending identifiers, which may be rude), return 404.

If you need support for the Request Access feature for resources for which you do not have permissions, return 403 so that your client side can distinguish this information.

Generally speaking, if your API uses identifiers and never discloses information as part of its URLs, and you use UUIDs as identifiers, I would go with 403 .. as with many well-known and highly secure applications nowadays (Google, Microsoft, etc.).

0
source

We hope you get clarifications on HTTP errors based on what I post below:

HTTP Error 401 :: This error occurs when a website visitor tries to access a restricted web page, but is not authorized to do so.

HTTP Error 403 :: . This error is similar to error 401, but pay attention to the difference between unauthorized and prohibited. This can happen, for example, when trying to access a directory (forbidden) on any website.

HTTP Error 404 :: Error 404 occurs when you try to access a resource on a web server (usually a web page) that does not exist.

-3
source

Source: https://habr.com/ru/post/1213611/

More articles:


All Articles