Access denied: 403 or 404?

Question

What status code should be returned if somebody request access to the entity that he is not permitted to see? You'll probably say it's 403: Forbidden. But is it common practice to return 404 instead? I don't want somebody know that this entity even exists if he is not permitted to see it. What do you think?

What would you return for a resources that does *not* exists and which the client is not allowed to access? — , Feb 18 '15 at 11:51

score 58 · Accepted Answer · answered Jun 26 '15 at 21:39

Use 404 Not found.

The 404 status code can also be used in 403 scenarios, when the server does not want to send back the reason why it is refusing to serve the request. A good example is when the server senses some kind of an attack, which might be a brute force attack. In this case, the server responds with a 404 Not found instead of a 403 Forbidden and an explanation.

Source: Pro ASP.NET Web API Security

Moshe Bixenshpaner · Answer 2 · 2017-11-19T16:35:27.197

2

Well.. it depends..

If your endpoints' URLs reveal sensitive information (e.g., in Dropbox API, you refer to files by their names, rather than their IDs - so the URLs contain the file names) or perhaps you're using sequential IDs (e.g., ascending IDs that can be brute-forced), return 404.

If you need to support a "Request Access" feature to resources you don't have permissions for, return 403, so your client-side could tell the difference.

Generally speaking, if your API uses IDs and never reveal information as part of its URLs and you're using UUIDs as IDs, I would go with 403.. as with many well-known and very secured applications nowadays (Google, Microsoft, etc..).

edited Nov 19 '17 at 16:35

answered Nov 19 '17 at 16:28

Moshe Bixenshpaner

1,840
1
17
23

That's tricky because 401 could be used for that request access scenario as well. Or, you could always return 403 (as someone else suggested) and allow access requests for non-existent resources that basically just go straight to trash. – Anthony Mar 06 '18 at 03:37
401 could be a bad idea since it means there's an issue with _authentication_. Ie. if an automated client is using a token, and gets a 401 because of a permission issue. It might assume the token expired then re-authenticate to get a new one. Then try again, and get a 401, then re-authenticate and try again.... – Kelnor Mar 07 '19 at 17:40
Could you please provide a concrete example of well-known API method that returns `403` in case you have no rights on the object? – Dmitriy Popov Jul 15 '20 at 13:57
@DmitriyPopov I'd assume Google Docs should probably be such an example. – Moshe Bixenshpaner Aug 07 '20 at 15:25
@DmitriyPopov https://developers.google.com/drive/api/v3/handle-errors#resolve_a_403_error_the_user_does_not_have_sufficient_permissions_for_file_fileid – Moshe Bixenshpaner Aug 07 '20 at 15:25
@MosheBixenshpaner this link refers to **write** action. But they use 404 when the user does not have **read** access to a file, or the file does not exist. https://developers.google.com/drive/api/guides/handle-errors#resolve_a_404_error_file_not_found_fileid I wonder what the response is if the user tries modifying a file which doesn't exist – Grade May 19 '22 at 11:09
@Grade, is it possible that the docs aren't very updated? I didn't check it lately, but here's a link that might say otherwise from the same page: https://developers.google.com/drive/api/guides/handle-errors#resolve_a_403_error_the_user_has_not_granted_the_app_appid_verb_access_to_the_file_fileid – Moshe Bixenshpaner May 20 '22 at 19:56

score 1 · Answer 3 · answered Feb 18 '15 at 11:52

1

Return 403 Forbidden. If you return this for every request the client is not allowed to access and if you never return 404 Not Found, the client knows nothing.

It all depends on how important this is for you:

I don't want somebody know that this entity even exists if he is not permitted to see it.

If this really is important, always return 403 Forbidden.

answered Feb 18 '15 at 11:52

18

That's essentially the same as always returning 404, you've just picked a different status to return for those two scenarios. For the record if you always return 404 the client learns nothing. – Anthony Mar 06 '18 at 03:34

score -5 · Answer 4 · edited May 12 '15 at 13:04

-5

Hope you get some clarification on HTTP errors based on what I am posting below:

HTTP 401 error :: This error happens when a website visitor tries to access a restricted web page but isn't authorized to do so.

HTTP 403 error :: This error is similar to the 401 error, but note the difference between unauthorized and forbidden. This can for example happen if you try to access a directory(forbidden) on any website.

HTTP 404 error :: A 404 error happens when you try to access a resource on a web server (usually a web page) that doesn't exist.

edited May 12 '15 at 13:04

Wilt

41,477
12
152
203

answered Feb 18 '15 at 12:00

Prashant Gadhvi

91
6

:P Forgot I was not working on my home site portal. It has just the similar feature as what I just mistook! Anyway, is this answer what you're looking for? – Prashant Gadhvi Feb 18 '15 at 12:23
7

No, it's just definition of status codes, I know what they mean. – Robo Robok Feb 18 '15 at 12:44

Access denied: 403 or 404?

4 Answers4