Friday, March 26, 2010

Consistent HTTP Codes

Does it pay in terms of security to have consistent HTTP error codes returned to the requesting clients? Does it make more sense to return an HTTP 404 when something isn't found and an HTTP 403 when something is forbidden? Or does it make more sense to always use either 404 or 403 exclusively?

1 comment :

  1. 403 means that the resource exists but the user is not authorized to use it. Examples of this include directory listings (which do exist when permitted by the server, and are forbidden if not (implied: do exist)).
    404 means that the resource just isn't there.

    Giving off false http codes is never a good thing. Most browsers (and not to mention web crawlers) are designed to react a certain way to a certain reply. Messing with that will give your users the wrong idea.

    You COULD tell your server to send a 404 on a directory listing, but then that implies that the directory doesn't exist, and that no files may be requested from that directory.

    It's always safest to go with the specs. And the HTTP spec is pretty much tried and tested.