Suppose user A creates a private resource at, for example, /books/somebooktitle
If user B attempts to access the resource at /books/somebooktitle what code should be returned?
HTTP403: Permission denied seems obvious BUT, does this not leak information to user B that someone has created a book and named that book with the title "somebooktitle"? That's two pieces of information that user B shouldn't technically be entitled to.
HTTP404: hides the fact that the book exists.
Is there best practice?
-
2If you're concerned about leaks, you also need to be careful about not being vulnerable to timing attacks. If there is a significant time difference between a book which actually does not exist and a book for which the requester is unauthorized, then you're still leaking the information even if you return a 404 Not Found in both cases.Vincent Savard– Vincent Savard2021年09月16日 19:18:57 +00:00Commented Sep 16, 2021 at 19:18
2 Answers 2
There is no best practice for precisely the reason you cited in your question. It becomes a judgement call based on the kind of information you might expose. If hinting that "somebooktitle" might leak security-sensitive information, or violate a copyright or other kind a law, then go with a 404 Not Found response. You also have the option of redirecting the user to a general purpose search page that results in a 200 OK response. Which kind of response you choose will be driven by security, legal and business considerations. There is no one-size-fits-all solution here.
I don't have reputation to comment on Greg's excellent answer, so posting this as an answer.
Just adding a link to the spec: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#:~:text=10.4.5%20404%20Not%20Found Which suggests that it is appropriate to use a 404 response to mask the reason that the request is denied.