Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Access denied: 403 or 404?

People also ask

What is the difference between 404 and 403 error?

You may still want to share the missing permissions or two to request access from. However, if the user shouldn't know about the resource, then neither return who to contact, the missing permissions, nor a 403 suggesting that the resource exists. In this case return the 404.

What is 404 Access Denied?

HTTP 404 error :: A 404 error happens when you try to access a resource on a web server (usually a web page) that doesn't exist.

What is the difference between 401 and 404 error?

The three status codes that felt the most appropriate are: 401 - Unauthorized. 403 - Forbidden. 404 - Not Found.


Use 404 Not found.

The 404 status code can also be used in 403 scenarios, when the server does not want to send back the reason why it is refusing to serve the request. A good example is when the server senses some kind of an attack, which might be a brute force attack. In this case, the server responds with a 404 Not found instead of a 403 Forbidden and an explanation.

Source: Pro ASP.NET Web API Security


Return 403 Forbidden. If you return this for every request the client is not allowed to access and if you never return 404 Not Found, the client knows nothing.

It all depends on how important this is for you:

I don't want somebody know that this entity even exists if he is not permitted to see it.

If this really is important, always return 403 Forbidden.


Well.. it depends..

If your endpoints' URLs reveal sensitive information (e.g., in Dropbox API, you refer to files by their names, rather than their IDs - so the URLs contain the file names) or perhaps you're using sequential IDs (e.g., ascending IDs that can be brute-forced), return 404.

If you need to support a "Request Access" feature to resources you don't have permissions for, return 403, so your client-side could tell the difference.

Generally speaking, if your API uses IDs and never reveal information as part of its URLs and you're using UUIDs as IDs, I would go with 403.. as with many well-known and very secured applications nowadays (Google, Microsoft, etc..).