Let's say we have an API where users belong to specific tenants. If a user tries to retrieve data for a tenant they do not belong to, is it more appropriate/secure to throw a 403 or 404 error?

From one perspective, 403 makes sense as that user does not have access to the tenant. However, from another perspective, a 404 makes sense because we're not exposing that the tenant they are requesting exists.

Which approach would be considered better? My gut says 404

CodePudding user response：

You should not expose any info across tenants. From one tenant's perspective a resource does not exist if it belongs to another tenant - they should not be able to differentiate. In other words, the error response should be the same for a truly non-existent resource, for one that is assigned to a different tenant (non-existent for the current client), and if the tenant id is part of the request, then existing and non-existing tenant ids should also yield the same if the client is not authorized to them.

I understand this is somewhat against the purpose of 403, and there can be easy theoretical counter-arguments which can also be very valid from other perspectives, but not leaking any info is the most secure option.