current community

your communities

more stack exchange communities

Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Webmasters Stack Exchange is a question and answer site for pro webmasters. It's 100% free, no registration required.
up vote 1 down vote favorite

I have a set of content in my web app that should only be visible if you are logged in. They have not public equivalent, should never be crawled, or otherwise known outside of logged in users of specific security levels. I come from the network security world so my first instinct is to "cloak the port" to steal a Steve Gibson line, return a 404 indicating there is nothing there, nor should you expect anything to be there. In the custom 404 page I may include some text advising you to log in if you are not already.

Is this bad practice? Do I gain anything from using the 403 and hanging a sign on my tools that "There is something here, dare you access it".

Edit: Also, I am not using .htaccess to manage folder level permissions. I am using session tracking and Oath to manage logins, so the browser is never used to ask for a login, a web form is. Each script compares against a permission list associated with the currently logged in user. So I should be using 403 not a 401 error.

share|improve this question

1 Answer 1

up vote 2 down vote

You need to return 401 for technical reasons: the 401 is what tells the browser to prompt the user for a username and password. If you don't return 401, nobody will be able to log in because their browsers will never prompt them to log in! This situation is only applicable to 401 which is tightly tied to the authentication built in to the HTTP protocol. When using another kind of authentication (e.g. a session cookie), 401 is never used (usually 403 is used instead) and this paragraph does not apply.

Even if that weren't the case, there's another technical reason why 401 should be returned: if a legitimate user were to access the resource once without logging in and received a 404, their browser is allowed to cache this fact, and later when they were logged in and tried to access the resource again, the browser (or intermediate cache) would be allowed to return the cached 404 without requerying the server. The preceding paragraph isn't true. Only responses with status codes 200, 203, 206, 300, 301 or 410 may be cached.

This isn't usually much of a problem because typically an entire subdirectory is protected by authentication (or even an entire site if it's configured on the site's root directory), so attackers can't learn anything about resources that may or may not exist under the protected subdirectory because they get a 401 for anything they query under that subdirectory (whether it exists or not). The only thing they learn is that the protected subdirectory exists.

share|improve this answer
    
hmm, should have clarified that the tool is handling authentication not, .htaccess locking the folder. –  Tyson of the Northwest Jun 13 '13 at 20:07
    
So browsers do cache that an address is 404 vs 401? How does my cache directives in the header effect that? –  Tyson of the Northwest Jun 13 '13 at 20:12
    
I understand that you are not using HTTP basic authentication (via .htaccess or whatever). In that case you are not allowed to use 401 at all. From RFC2626's paragraph about the 401 response: The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.. In other words, that status code is reserved for use with HTTP authentication. –  Celada Jun 13 '13 at 20:52
    
I don't know if any current browsers do cache 404 responses, but they are allowed to. Your application should assume they might. –  Celada Jun 13 '13 at 20:53
    
+1 top answer. AFAIK, the browser can cache any 4xx response. Custom cache control headers should control the caching in compliant browsers. If you are not using HTTP authentication then I would say a 403 response is preferable, as Celada suggests. Returning a 404 instead does not improve security, it is simply security-by-obscurity which offers no real security benefit. Also, returning 404s will pollute your logs and stats reports with misleading messages, making it hard to distinguish true 404s from your pseudo 404s. –  w3d Jun 13 '13 at 21:19

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.