Reputation: 5415
Can an HTTP server respond with a 404 to conceal the existence of a resource?
There may be cases where a client that doesn't have authorization to access a resource should be told that it doesn't exist instead of being told they aren't authorized. If a server does this, is it technically a violation of HTTP 1.1?
Upvotes: 1
Views: 76
Answers (1)
Reputation: 21542
There is nothing in the RFC that forces you to tell the client the truth every time.
In the end it boils down to how you want the people behind the browser to react to a certain response. If you would send a 403 Forbidden the user would know they may not access this resource (and no authentication window would open automatically). If you instead were to send a 404 Not Found they could think to themselves that the server operator (you) made an error.
Your choice.
Upvotes: 1
Related Questions
- Is it correct to return 404 when a REST resource is not found?
- Should I return a 404 error on a resource resulting in empty set?
- Can Apache serve a default file instead of a 404?
- How do I render a 404 without actually rendering my web page?
- Is 404 the right return code for a resource that currently doesn't exist?
- Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
- What is the most appropriate HTTP response code for a resource known NOT to exist?
- Is there anything wrong with sending other content along with a 404 error?
- Serving a 404 without redirecting to /404/
- Do I need to send a 404?