codesections  

What do y'all think about this blog post arguing that serving 404 Not Found errors instead of 403 Forbidden errors is problematicly dishonest/confusing? blog.beeminder.com/slytherin40

From the post:

> Humans may sometimes need to lie to fully conceal sensitive information but computers should never need to

1+
Adrian Cochrane  

@codesections I've looked into this before, and my impression is that 400 Bad Request is the most appropriate status code.

1+
emsenn  

@alcinnz You might like my justification for why 404 is the right choice: it's the common error message, so by using it you don't raise any flags that you're an experienced or security-aware web administrator, which influence how attackers approach it. Obfuscate at every level you can. @codesections

1
Rune
Follow

@emsenn @alcinnz @codesections i personally prefer to return 418.

Not many exploits available for teapots.

· 0 · 3 · 2
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml