Friday, March 26, 2010

Consistent HTTP Codes

Does it pay in terms of security to have consistent HTTP error codes returned to the requesting clients? Does it make more sense to return an HTTP 404 when something isn't found and an HTTP 403 when something is forbidden? Or does it make more sense to always use either 404 or 403 exclusively?