[http-headers] 403 Forbidden vs 401 Unauthorized HTTP responses

This is an older question, but one option that was never really brought up was to return a 404. From a security perspective, the highest voted answer suffers from a potential information leakage vulnerability. Say, for instance, that the secure web page in question is a system admin page, or perhaps more commonly, is a record in a system that the user doesn't have access to. Ideally you wouldn't want a malicious user to even know that there's a page / record there, let alone that they don't have access. When I'm building something like this, I'll try to record unauthenticate / unauthorized requests in an internal log, but return a 404.

OWASP has some more information about how an attacker could use this type of information as part of an attack.

Examples related to http-headers

Set cookies for cross origin requests Adding a HTTP header to the Angular HttpClient doesn't send the header, why? Passing headers with axios POST request What is HTTP "Host" header? CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response Using Axios GET with Authorization Header in React-Native App Axios get access to response header fields Custom header to HttpClient request Send multipart/form-data files with angular using $http Best HTTP Authorization header type for JWT

Examples related to http-status-code-403

Nginx 403 error: directory index of [folder] is forbidden HTTP error 403 in Python 3 Web Scraping MVC4 HTTP Error 403.14 - Forbidden Error message "Forbidden You don't have permission to access / on this server" WAMP 403 Forbidden message on Windows 7 Apache VirtualHost 403 Forbidden Nginx 403 forbidden for all files Emulate a 403 error page 403 Forbidden vs 401 Unauthorized HTTP responses Apache gives me 403 Access Forbidden when DocumentRoot points to two different drives

Examples related to http-status-codes

Laravel - Return json along with http status code Spring: return @ResponseBody "ResponseEntity<List<JSONObject>>" HTTP status code 0 - Error Domain=NSURLErrorDomain? 400 vs 422 response to POST of data Python Request Post with param data HTTP Get with 204 No Content: Is that normal Throw HttpResponseException or return Request.CreateErrorResponse? Returning http status code from Web Api controller How to specify HTTP error code? How to get HTTP response code for a URL in Java?

Examples related to http-status-code-401

HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers 401 Unauthorized: Access is denied due to invalid credentials Server returned HTTP response code: 401 for URL: https 403 Forbidden vs 401 Unauthorized HTTP responses How do I get the HTTP status code with jQuery?

Examples related to http-response-codes

What is "406-Not Acceptable Response" in HTTP? 403 Forbidden vs 401 Unauthorized HTTP responses PHP: How to send HTTP response code?