Home > Mobile >  Is it better to use a 403 response or 404?
Is it better to use a 403 response or 404?

Time:04-29

I have a restAPI which allows for users to submit data to be saved in my database. When data is submitted their userID will be grabbed from the request header and added to the document

In my collection (mongoDB) there is the normal _id field and a userID field, which references the user.

My question is in the scenario that a malicious user submits a PUT or DELETE request to a document that does not belong to them what is the best way to handle it.

  1. I pull the prediction from the DB just using the submitted _id, check the userID field against the requesting userID and issue a 403 response if they do not match.

  2. I query the database by both _id and userID, so it would not be found if the document does not belong to the requesting user. I would then issue a 404 response just as if they had submitted an id that does not exist.

Both choices achieve the same goal, which is to prevent a user from editing or deleting a resource that does not belong to them, but which is "better"?

CodePudding user response:

404 is for "not found", which is clearly not the case.

Use 403.

Quoting from Wikipedia:

HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication ...

  • Related