Access denied: 403 or 404?

Question

Use 404 Not found.

The 404 status code can also be used in 403 scenarios, when the server does not want to send back the reason why it is refusing to serve the request. A good example is when the server senses some kind of an attack, which might be a brute force attack. In this case, the server responds with a 404 Not found instead of a 403 Forbidden and an explanation.

Source: Pro ASP.NET Web API Security

Return 403 Forbidden. If you return this for every request the client is not allowed to access and if you never return 404 Not Found, the client knows nothing.

It all depends on how important this is for you:

I don't want somebody know that this entity even exists if he is not permitted to see it.

If this really is important, always return 403 Forbidden.

Well.. it depends..

If your endpoints' URLs reveal sensitive information (e.g., in Dropbox API, you refer to files by their names, rather than their IDs - so the URLs contain the file names) or perhaps you're using sequential IDs (e.g., ascending IDs that can be brute-forced), return 404.

If you need to support a "Request Access" feature to resources you don't have permissions for, return 403, so your client-side could tell the difference.

Generally speaking, if your API uses IDs and never reveal information as part of its URLs and you're using UUIDs as IDs, I would go with 403.. as with many well-known and very secured applications nowadays (Google, Microsoft, etc..).