|Subject:||Security - Why 404 instead of 403?|
|Posted by:||Karl Groves (ka…@NOSPAMkarlcore.com)|
|Date:||Thu, 05 Apr 2007|
A website I worked on for my dayjob was recently subjected to a security
audit by Watchfire Appscan which showed some SQL injection and XSS
vulnerabilities. They were all fixed rather quickly and easily, but
Appscan keeps mentioning one thing:
For "hidden" directories (such as "images" or "styles") it says "Issue a
"404-Not Found" response status code for a forbidden resource, or remove it
This is silly, IMO. We've turned off indexes with .htaccess and are issuing
a HTTP 403 response instead.
I understand that fooling attackers into thinking something doesn't exist
is a good idea, but is it any MORE secure than issuing a 403?