Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Handling forbidden REST requests 403 vs 404

Tags:

rest

http-headers

api

Semantically speaking, an API should return an error message adapted to the situation. For instance, if a user makes a request to GET /article/2386, it should return (the user needs to be auth to request that API to handle rights management):

  • article data if it exists and user has permission,
  • 404 Not Found with error message if it doesn't exist,
  • 403 Forbidden with error message if user doesn't have permission.

Now I wonder if it's not wiser to return 403 Forbidden in both cases, as an evil user could try to randomly scan resources and get insights on whether they exist or not (403 if they exist, 404 if they don't).

So would it be advisable to return a 403 in both cases or is it "criminal"?

like image 423
Buzut Avatar asked Sep 26 '15 08:09

Buzut

People also ask

How do I fix REST API 403 forbidden?

Check the Requested URL The most common cause of a 403 Forbidden Error is simply inputting an incorrect URL. As discussed before, many tightly secured web servers disallow access to improper URLs. This could be anything from accessing a file directory to accessing a private page meant for other users.

What kind of possibility if we get error code 401 or 404?

The 401 status code indicates that the HTTP request has not been applied because it lacks valid authentication credentials (usually username and password) for the target resource. If the request included authentication credentials, the 401 response indicates that authorization has been refused for those credentials.

What is the difference between 401 and 403 error?

401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.

What is the difference between 404 and 500 error?

1. 500 Internal Server Error - The server encountered an unexpected condition which prevented it from fulfilling the request. 2. 404 Not Found - The server has not found anything matching the Request-URI.

1 Answers

I've hit a number of situations like this before and I usually went the other route of 404ing if they don't have permissions. My rational being there is no article of ID 2386 that you can view, therefore NotFound. I like that more than "you don't have permissions to view something that doesn't exist".

As for "is it criminal", I would say no. I'm far from a RESTefarian but I consider REST to be a guide to making your api more intuitive for consumers. If security means you need to change things a little bit so be it. Plus, does this really make it any less intuitive?

I hope this helps :).

like image 72
JCalder Avatar answered Sep 21 '22 12:09

JCalder
Sign in to Comment

Related questions

Persian transliteration Java API [closed]
Sending IMs through an API [closed]
any way to count twitter tweets of a particular user using Twitter API?
What is the best API for registering and configuring domain names?
java.lang.OutOfMemoryError on Android 4.0 (API 14)
Magento API v2 and C# - set custom attributes whilst adding product
IP Camera, how to detect it on the network? [closed]
Changing the name just because of Null?
Generate Javascript file with PHP
How to use http://www.census.gov API to pull data
Is QuickBooks API QBD V3 Really Deprecated?
Persisting entities using a REST API
The 'TypeIs' expression with an input of type 'Domain.Entities.Request' and a check of type 'Domain.Entities.Base' is not supported
Django url parameter passing
How to specify the base classifier in stacking method when using Weka API?
Using Restforce gem with SalesForce API and Oauth 2.0
FOSRestBundle: partial response in function of attributes asked in the request
How to obtain location from ipinfo.io in PHP?
Language detection API/Library [closed]
Swagger api listing is empty

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!