undefined | Better HN

0 pointsjacques_chester11y ago0 comments

A 403 only works in the case that you have an all-or-nothing authentication scheme.

A 403 for a resource that exists but is unauthorised leaks the information that the resource exists.

Many Github customers don't want people to be able to guess at their private repos, and the 404 is the only code that is legitimately able to express the union of "not here" and "not here because you're not allowed to know it's here".

0 comments

3 comments · 1 top-level

vacri11y ago· 2 in thread

Not at all. If I have a private repo "foo" and a public repo "bar" and no others, given an unauth'd request:

    > request "foo" => 403
    > request "bar" => 200
    > request "baz" => 403
    > request "qux" => 403

The unauth'd requester can't tell that foo exists and baz and qux do not.

jsprogrammer11y ago

Right, but if someone requests:

    > request "lkj3fla3kjf1ljf3jf"

Which doesn't exist anywhere, it makes no sense to return 403.

jacques_chesterOP11y ago

Now you're breaking 403, which is not meant to signal the non-existence of a resource. That's what 404 is for.

The "hiding the existence of resources" purpose has to be carried by something. The RFC says it's carried by 404, and that's that.

j / k navigate · click thread line to collapse