: Is it OK to give status 404 to unauthorized users? In recent months I have come across several sites, which give a 404 status/error page, when there should be 403 or maybe 401. For example,
In recent months I have come across several sites, which give a 404 status/error page, when there should be 403 or maybe 401.
For example, I have a private repository on github.com with link:
github.com/BlueGhost-cz/BG3
When I accidentaly logged out and tried to reach this link, I only got "This is not the page you are looking for" message, which is obviously not true. I AM looking for it and the resource DOES exist, I am just not authenticated. I would expect a 403 or some other "permission denied" page. This one really scared me for a few seconds, because it implied my repository was deleted.
Do you also consider this to be wrong? What would be the "best practice" in this area?
More posts by @Heady270
2 Comments
Sorted by latest first Latest Oldest Best
Well, 404 should be used when the resource do not exist, is not that you're not authorized, it is not there at all. 403 should be for forbidden resources, regardless you're authenticated, you might not have permission over a given resource. I rather 401 for resources that are found but requires some sort of authentication to get it. IMO
Personally I think this is justified. By returning a 403 instead, Github would be confirming that a repository with that name exists, which in itself could be seen as a security hole (or at least undesirable).
As a contrived example, imagine that these repositories existed:
github.com/valve/HalfLife http://github.com/valve/HalfLife2
If one day github.com/valve/HalfLife3 started returning a 403, that would basically confirm that Half Life 3 was being worked on.
The flip side of this is that it's not uncommon for web servers to be configured to serve 403s for non existent URLs, for the same reason.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.