I don’t respect them because most instances a 403 is more than adequate for your security. The only time I agree with having a 404 over a 403 would be file-specific pathing, but realistically the entire file directory should be a 403 instead of a 404, And then if the user is authorized to access the resource(but it isn’t there), then it gives a 404.
Yea, it doesn’t matter too much in most instances, but there are times when it might, especially if the URL itself has some meaning embedded in it. For example if part of the path is a SHA sum of some content, which is fairly common, it might be bad to allow someone to determine if that resource exists
I don’t respect them because most instances a 403 is more than adequate for your security. The only time I agree with having a 404 over a 403 would be file-specific pathing, but realistically the entire file directory should be a 403 instead of a 404, And then if the user is authorized to access the resource(but it isn’t there), then it gives a 404.
Yea, it doesn’t matter too much in most instances, but there are times when it might, especially if the URL itself has some meaning embedded in it. For example if part of the path is a SHA sum of some content, which is fairly common, it might be bad to allow someone to determine if that resource exists