2015-06-04

Returning 403 or 404 - that is the question

I think it is safe to say that anybody who is serious about security will tell you that security through obscurity is no security. Yet a lot of people think obscuring is a great way to increase security like for example return 404 rather than 403 on REST APIs when the caller does not have rights to retrieve an existing resource.

This article is an interesting read going over this in detail including how to make it work properly in ASP.NET. There is some criticism in the comments pointing out that a serious attacker still would be able to detect a true 404 from a 403/404 and that other measures such as randomly delay all error responses is needed in order to get increased security.

So what should you do? Obviously you should not rely on obscurity for security, but as the linked article points out, adding obscurity to a secure solution adds what is called security in depth. The biggest problem you have defending against attackers is that attackers are always ahead of you. So while you have a solution that is cryptographically secure today - tomorrow there might be an exploit you didn't know about and some obscurity can soften the blow there.

Also some obscurity will deter the casual attackers but never the serious threats. However unless you are the CIA, NSA, FBI, a large bank or similar the serious attackers probably don't care too much about you anyway so...

To me the question about 403 vs 404 is not about security at all. Because if it is only about security I prefer the use of 403 since it gives the valid callers an opportunity to understand they did something wrong. But there is one case where I would not do that - if the sole existence of a the resource would disclose important information.

For example consider an API that looks like /customers/{id}/accounts/{number} and that it returns 404 if a given customer does not have the given account number (but otherwise 403 since it is not my account). Without getting the actual data I can now figure out what account numbers each customer have by just trying a lot of combinations. Naturally there are several ways this information disclosure could be avoided like always return 403 unless you are looking up your own accounts.

My point being information disclosure is a much better reason to use 404 over 403 than just security through obscurity... But if you don't have that problem 403 is much more useful than 404 to the caller. Both the nice and naughty ones...

No comments:

Post a Comment