: Should I use a 404 or a 403 error for secure content I have a set of content in my web app that should only be visible if you are logged in. They have not public equivalent, should never
I have a set of content in my web app that should only be visible if you are logged in. They have not public equivalent, should never be crawled, or otherwise known outside of logged in users of specific security levels. I come from the network security world so my first instinct is to "cloak the port" to steal a Steve Gibson line, return a 404 indicating there is nothing there, nor should you expect anything to be there. In the custom 404 page I may include some text advising you to log in if you are not already.
Is this bad practice? Do I gain anything from using the 403 and hanging a sign on my tools that "There is something here, dare you access it".
Edit:
Also, I am not using .htaccess to manage folder level permissions. I am using session tracking and Oath to manage logins, so the browser is never used to ask for a login, a web form is. Each script compares against a permission list associated with the currently logged in user. So I should be using 403 not a 401 error.
More posts by @Pope3001725
1 Comments
Sorted by latest first Latest Oldest Best
You need to return 401 for technical reasons: the 401 is what tells the browser to prompt the user for a username and password. If you don't return 401, nobody will be able to log in because their browsers will never prompt them to log in! This situation is only applicable to 401 which is tightly tied to the authentication built in to the HTTP protocol. When using another kind of authentication (e.g. a session cookie), 401 is never used (usually 403 is used instead) and this paragraph does not apply.
Even if that weren't the case, there's another technical reason why 401 should be returned: if a legitimate user were to access the resource once without logging in and received a 404, their browser is allowed to cache this fact, and later when they were logged in and tried to access the resource again, the browser (or intermediate cache) would be allowed to return the cached 404 without requerying the server. The preceding paragraph isn't true. Only responses with status codes 200, 203, 206, 300, 301 or 410 may be cached.
This isn't usually much of a problem because typically an entire subdirectory is protected by authentication (or even an entire site if it's configured on the site's root directory), so attackers can't learn anything about resources that may or may not exist under the protected subdirectory because they get a 401 for anything they query under that subdirectory (whether it exists or not). The only thing they learn is that the protected subdirectory exists.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.