Reputation: 88247
404 Not Found when Accessing Unauthorized/Not Found Resources?
Suppose I have Tasks with ID of 1, 2, 3, 4. User A is allowed access to 1 & 2 only.
- If he tries to access Task #3, which is unauthorized, should I give 404 or just say he's not authorized? I get this idea from logins, whether the username is valid, I always just give a generic invalid username/password combination, to prevent the user from knowing if the user/resource exists
- If he tries to access Task #5 non-existant should I give 404? or say resource not found in a generic page?
Upvotes: 2
Views: 3311
Answers (2)
Reputation: 13624
Let us say you have a site with some pages with following access rights:
- A general page, to which every one has an access.
- A page which requires a logged in user, still access by a mass public.
- An admin page, which can be accessed only by a small group of people.
- A non existent page.
So for a visitor with no rights what I suggest is to use:
403 (No permissions) with 2.
404 (Does not exists) with 3, as no general user should ever come across any link to that page so it should as well be non existent for them.
And obviously 4, a non existent page, should always result in a 404 response.
Upvotes: 2
Reputation: 34563
If the user doesn't have access to the task but it's OK for him to know that the task exists, use 403. If the user shouldn't even be able to determine existence of tasks that he doesn't have access to, use 404.
Trying to access a nonexistent task should definitely result in a 404 response.
You should always use an appropriate status code in an HTTP response, because it tells the browser how it should treat the response. If you return a "resource not found" error message with a 200 OK status code, the browser will think that the message is the actual page that the user requested, and will probably cache it. If you use a 404 code (or 403, etc.), the browser will understand that the page you sent back isn't actually what was requested, so it'll know not to cache it or enter its URL in the browsing history. The body of the response can still be a nice-looking HTML page with an error message for a human to read.
Upvotes: 1
Related Questions
- Receiving 403 instead of 404 when calling non existing endpoint
- 404 when WebSecurityConfig is present
- Failed to load resource: the server responded with a status of 404 (Not Found) in spring mvc
- Spring Security Failed to load resource: the server responded with a status of 404
- Spring Security show 404 if user is not authorize
- Spring-security, 404 errors should be 401 or 403 in restricted folder
- Page not found 404 on unauthorized URL when page not exists
- j_spring_security_check 404 issue
- Spring security issue with 404 error?
- Why do I get these 404-Errors?