返回“正确"错误代码,还是保护隐私? [英] Return "correct" error code, or protect privacy?
问题描述
好的,最好在这里举例说明我的意思.
OK, probably best to give an example here of what I mean.
想象一个基于Web的论坛系统,其中用户身份验证是通过系统知道的某种外部方法来完成的.
Imagine a web based forum system, where the user authentication is done by some external method, which the system is aware of.
例如,现在,用户输入他们无权访问的线程的URL.为此,我应该返回403(禁止访问),让用户知道他们应该尝试其他身份验证方法,或者返回404,而不让他们知道可以访问某些内容.
Now, say for example, a user enters the URL for a thread that they do not have access to. For this should I return a 403 (Forbidden), letting the user know that they should try another authentication method, or a 404, not letting them know that there is something there to access.
假设我返回了403,当他们访问尚不存在的主题的URL时,我还应该返回403吗?
Assuming I return a 403, should I also return a 403 when they access a URL for a topic that doesn't exist yet?
上面的示例更多的是一个带有IRL的示例.
the example above was more of an example that something IRL.
另一个例子,说我暴露了类似的东西
Another Example, say I expose something like
/adminnotes/user
如果有关于用户的管理员说明.现在,返回403将使用户知道关于它们的某些说法. 404不会说什么.
if there are Administrator notes about the user. Now, returning a 403 would let the user know that there is something there being said about them. A 404 would say nothing.
但是,如果我要返回403-我可以将其返回给adminnotes/*-这样就可以解决该问题.
But, if I were to return a 403 - I could return it for adminnotes/* - which would resolve that issue.
另一个例子.软删除的问题在这里返回404.但是,通过正确的身份验证和访问,您仍然可以看到它们(我想)
Edit 2: Another example. Soft deleted Questions here return a 404. Yet, with the right authentication and access, you can still see them (I'd presume)
推荐答案
在其他所有方面,遵守HTTP规范.返回403代替404并不是一件好事.返回404代替403可能是可以的(或者不是很大的错误),但是我只是让软件说实话.如果用户只知道一个主题的ID,反正就不多了.而且他可以尝试
Above everything else, comply with HTTP spec. Returning 403 in place of 404 is not a good thing. Returning 404 in place of 403 probably is ok (or not a big blunder), but I would just let the software tell the truth. If user only knows the ID of a topic, it's not much anyway. And he could try timing attacks to determine whether this topic exists.
这篇关于返回“正确"错误代码,还是保护隐私?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
