是否可以为不存在的资源而不是404返回HTTP 401以防止信息泄露? [英] Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?
问题描述
在查看在资源可用但由于权限无法访问,我将使用相同的场景来说明我的假设问题。
Inspired by a thought while looking at the question "Correct HTTP status code when resource is available but not accessible because of permissions", I will use the same scenario to illustrate my hypothetical question.
想象一下,我正在建立一个拼车网络服务。
Imagine I am building a a carpooling web service.
假设以下
GET /api/persons/angela/location
检索用户angela的当前位置。只有安吉拉本人和可能会选择她的司机应该能够知道她的位置,所以如果请求未经适当的用户认证,则 401 Unauthorized 回复。
retrieves the current position of user "angela". Only angela herself and a possible driver that is going to pick her should be able to know her location, so if the request is not authenticated to an appropriate user, a 401 Unauthorized response is returned.
同时考虑请求
GET /api/persons/john/location
当没有用户名为john时已在系统中注册。没有john资源,更不用说john位置的资源了,所以这显然会返回找不到404 。或者是吗?
when no user called john has registered with the system. There is no john resource let alone a resource for john's location, so this obviously returns a 404 Not Found. Or does it?
如果我不想透露john是否在系统中注册了怎么办?
(也许用户名来自一小部分大学登录,校园内有一个非常激进的自行车小组,即使你正在合并,也会对车辆的使用情况有一个非常暗淡的看法?他们可以为每个用户提供URL请求,如果他们收到401而不是404,则推断该用户是汽车用户)
(Perhaps the usernames are drawn from a small pool of university logins, and there is a very militant cycling group on campus that takes a very dim view of car usage, even if you are pooling? They could make requests to the URL for every user, and if they receive a 401 instead of 404, infer that the user is a car pooler)
是否有意义为此请求返回 401 Unauthorized ,即使该资源没有存在并且在请求中没有可能提供的凭证集以使服务器返回200?
Does it make sense to return a 401 Unauthorized for this request, even though the resource does not exist and there is no possible set of credentials that could be supplied in a request to have the server return a 200?
推荐答案
实际上,W3C 推荐(RFC2616§10.4.4 403楼orbidden)做相反的事情。如果有人试图访问资源但未正确验证,则返回404,而不是403(禁止)。这仍然解决了信息披露问题。
Actually, the W3C recommends (RFC 2616 §10.4.4 403 Forbidden) doing the opposite. If someone attempts to access a resource, but is not properly authenticated, return 404 then, rather than 403 (Forbidden). This still solves the information disclosure issue.
如果服务器不希望赚取
这个信息可用于
客户端,可以使用状态代码404(找不到
)。
If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
因此,你永远不会返回403 (或401)。但是,我认为你的解决方案也是合理的。
Thus, you would never return 403 (or 401). However, I think your solution is also reasonable.
编辑:我认为Gabe走在正确的轨道上。您将不得不重新考虑部分设计,但为什么不:
I think Gabe's on the right track. You would have to reconsider part of the design, but why not:
- 未找到 - 404
- 用户特定的权限不足 - 404
- 一般权限不足(无人可以访问) - 403
- 未登录 - 401
- Not found - 404
- User-specific insufficient permission - 404
- General insufficient permission (no one can access) - 403
- Not logged in - 401
这篇关于是否可以为不存在的资源而不是404返回HTTP 401以防止信息泄露?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
