Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?

by

Actually, the W3C recommends (RFC 2616 §10.4.4 403 Forbidden) doing the opposite. If someone attempts to access a resource, but is not properly authenticated, return 404 then, rather than 403 (Forbidden). This still solves the information disclosure issue.

If the server does not wish to make
this information available to the
client, the status code 404 (Not
Found) can be used instead.

Thus, you would never return 403 (or 401). However, I think your solution is also reasonable.

EDIT: I think Gabe’s on the right track. You would have to reconsider part of the design, but why not:

  • Not found – 404
  • User-specific insufficient permission – 404
  • General insufficient permission (no one can access) – 403
  • Not logged in – 401

More Related Contents:

  1. How to redirect all HTTP requests to HTTPS
  2. Are HTTP cookies port specific?
  3. REST HTTP status codes for failed validation or invalid duplicate
  4. Which status code should I use for failed validations or invalid duplicates?
  5. HTTP response code for POST when resource already exists
  6. Is it safe to put a jwt into the url as a query parameter of a GET request?
  7. HTTP status code for a partial successful request
  8. Is HTTP header Referer sent when going to a http page from a https page?
  9. How to redirect all HTTP requests to HTTPS using .htaccess rules?
  10. WS on HTTP vs WSS on HTTPS
  11. When is it appropriate to respond with a HTTP 412 error?
  12. How do I secure REST API calls?
  13. Securing an API: SSL & HTTP Basic Authentication vs Signature
  14. How to send password securely via HTTP using Javascript in absence of HTTPS?
  15. Response status code for searches in REST APIs
  16. What is the difference between POST and PUT in HTTP?
  17. Fundamental difference between Hashing and Encryption algorithms
  18. HTTP POST with URL query parameters — good idea or not?
  19. What is the difference between HTTP status code 200 (cache) vs status code 304?
  20. Best way to handle security and avoid XSS with user entered URLs
  21. Why is using a Non-Random IV with CBC Mode a vulnerability?
  22. What should every programmer know about security? [closed]
  23. Stopping users voting multiple times on a website
  24. How will a server become vulnerable with chmod 777?
  25. IIS7, web.config to allow only static file handler in directory /uploads of website
  26. How to do stateless (session-less) & cookie-less authentication?
  27. Should I impose a maximum length on passwords?
  28. SSO with CAS or OAuth?
  29. Has Hardware Lock Elision gone forever due to Spectre Mitigation?
  30. How to block external http requests? (securing AJAX calls)

Leave a Comment