Menu
Semantically speaking, an API should return an error message adapted to the situation. For instance, if a user makes a request to GET /article/2386, it should return (the user needs to be auth to request that API to handle rights management):
Now I wonder if it's not wiser to return 403 Forbidden in both cases, as an evil user could try to randomly scan resources and get insights on whether they exist or not (403 if they exist, 404 if they don't).
So would it be advisable to return a 403 in both cases or is it "criminal"?
423
Check the Requested URL The most common cause of a 403 Forbidden Error is simply inputting an incorrect URL. As discussed before, many tightly secured web servers disallow access to improper URLs. This could be anything from accessing a file directory to accessing a private page meant for other users.
The 401 status code indicates that the HTTP request has not been applied because it lacks valid authentication credentials (usually username and password) for the target resource. If the request included authentication credentials, the 401 response indicates that authorization has been refused for those credentials.
401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.
1. 500 Internal Server Error - The server encountered an unexpected condition which prevented it from fulfilling the request. 2. 404 Not Found - The server has not found anything matching the Request-URI.
I've hit a number of situations like this before and I usually went the other route of 404ing if they don't have permissions. My rational being there is no article of ID 2386 that you can view, therefore NotFound. I like that more than "you don't have permissions to view something that doesn't exist".
As for "is it criminal", I would say no. I'm far from a RESTefarian but I consider REST to be a guide to making your api more intuitive for consumers. If security means you need to change things a little bit so be it. Plus, does this really make it any less intuitive?
I hope this helps :).
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
