Access denied: 403 or 404?

rest http http-status-code-404 http-status-code-403
Robo Robok picture Robo Robok · Feb 18, 2015 · Viewed 23.8k times · Source

What status code should be returned if somebody request access to the entity that he is not permitted to see? You'll probably say it's 403: Forbidden. But is it common practice to return 404 instead? I don't want somebody know that this entity even exists if he is not permitted to see it. What do you think?

Answer

Teoman shipahi picture Teoman shipahi · Jun 26, 2015

Use 404 Not found.

The 404 status code can also be used in 403 scenarios, when the server does not want to send back the reason why it is refusing to serve the request. A good example is when the server senses some kind of an attack, which might be a brute force attack. In this case, the server responds with a 404 Not found instead of a 403 Forbidden and an explanation.

Source: Pro ASP.NET Web API Security

Related questions

Getting a HttpStatusCode of 0

Why am I getting a HttpStatusCode of 0 if I point the service my client is connecting to to a bad URL. My statusCodeAsInt is showing up as a 0. Why is it not showing up as a 404 and being handled? IRestResponse …

Read More
HTTP GET 200 vs 204

We are designing a public API, and trying to figure out what is the best practice for GET with following cases: Path param: /orders/{orderId} Found: 200 with a response body. Not Found: 404. Query param: /Products/{productId}/orders?color={color} Found …

Read More
PUT vs. POST in REST

According to the HTTP/1.1 Spec: The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line In other words, …

Read More