: My Server is returning a 404 instead of 403 when access if forbidden - is it good or bad? via .htaccess, I forbid access to folders that have no index page inside (domain.com/images for example),
via .htaccess, I forbid access to folders that have no index page inside (domain.com/images for example), and also block my site completely for several user-agents (such as wget).
When I test to see what these kind of users see when accessing my website on each of these occasions, The error message that is displayed is something like:
"Forbidden
You don't have permission to access /images/ on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."
The title is 403 error, but in my server logs I see that the server is returning a 404 error.
So - Is this "good" or "bad"? What does the above message means?
More posts by @Sent6035632
3 Comments
Sorted by latest first Latest Oldest Best
I think that your server can't find the error doc that you specified.
Further use a header checker to check the header, if its a 403 no problem.
It looks like you probably setup the forbidden error document with 404 instead of 403. But unless you were to show us your .htaccess setup, it will be difficult for us to help you.
In regard to returning 404 instead of 403, I do that a lot. That's a way to not give away the fact that certain pages or directories exist. Say I have a "secret" path that only administrators can access, no one needs a 403 because no one except a very few people who can administrate the site and they probably need to log in before they can access that area of the site.
In your case, though, it may be less of a good idea. But the truth is that /images if not forbidden. It is just that you do not have a default index.html so returning 404 is probably better because a path such as /images/eiffel-tower.jpg would also be forbidden if the root directory is forbidden (at least with my logic.)
The 403 Forbidden error is due to the access denied issue as intended, there is no issue here - that seems fine.
The 404 Page Not Found error is due to your .htaccess file looking for and not finding where it expects, some kind of customised error page to show in this circumstance. It's possible your hosting provider may have this configured at the server-level rather than it being under your control. Your log file should actually show the file it is trying to find alongside the error.
If the ErrorDocument had not been specified in the .htaccess file then Apache would have simply used a default basic error page however since it has been specified you should ensure you have a file in place. Doing so will ensure:
(a) users are not led to believe your web-server/website might have other misconfiguration issues which could be exploited; and
(b) your log files won't be bloated with an extra 404 error for every 403 error (this may be particularly appreciated if you pay per megabyte of hosted disk-space, if you have a quota limit restricting your available disk-space, or if your logs work on a time-limit cycle, for example storing only the last 72 hours worth of log entries and removing older ones as newer entries are added).
If the ErrorDocument configuration requires you to have /403.html as your error file but you wish to use /errors/access-denied.php for example, then you could create an HTTP 301 redirect or rewrite rule in your .htaccess file to manage this.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.