Handling forbidden REST requests 403 vs 404

Question

Semantically speaking, an API should return an error message adapted to the situation. For instance, if a user makes a request to GET /article/2386, it should return (the user needs to be auth to request that API to handle rights management):

• article data if it exists and user has permission,
• 404 Not Found with error message if it doesn't exist,
• 403 Forbidden with error message if user doesn't have permission.

Now I wonder if it's not wiser to return 403 Forbidden in both cases, as an evil user could try to randomly scan resources and get insights on whether they exist or not (403 if they exist, 404 if they don't).

So would it be advisable to return a 403 in both cases or is it "criminal"?

Answer 1

I've hit a number of situations like this before and I usually went the other route of 404ing if they don't have permissions. My rational being there is no article of ID 2386 that you can view, therefore NotFound. I like that more than "you don't have permissions to view something that doesn't exist".

As for "is it criminal", I would say no. I'm far from a RESTefarian but I consider REST to be a guide to making your api more intuitive for consumers. If security means you need to change things a little bit so be it. Plus, does this really make it any less intuitive?

I hope this helps :).