Access denied: 403 or 404?

Robo Robok picture Robo Robok · Feb 18, 2015 · Viewed 23.8k times · Source

What status code should be returned if somebody request access to the entity that he is not permitted to see? You'll probably say it's 403: Forbidden. But is it common practice to return 404 instead? I don't want somebody know that this entity even exists if he is not permitted to see it. What do you think?

Answer

Teoman shipahi picture Teoman shipahi · Jun 26, 2015

Use 404 Not found.

The 404 status code can also be used in 403 scenarios, when the server does not want to send back the reason why it is refusing to serve the request. A good example is when the server senses some kind of an attack, which might be a brute force attack. In this case, the server responds with a 404 Not found instead of a 403 Forbidden and an explanation.

Source: Pro ASP.NET Web API Security