Let's say we have an API where users belong to specific tenants. If a user tries to retrieve data for a tenant they do not belong to, is it more appropriate/secure to throw a 403 or 404 error?
From one perspective, 403 makes sense as that user does not have access to the tenant. However, from another perspective, a 404 makes sense because we're not exposing that the tenant they are requesting exists.
Which approach would be considered better? My gut says 404
CodePudding user response:
You should not expose any info across tenants. From one tenant's perspective a resource does not exist if it belongs to another tenant - they should not be able to differentiate. In other words, the error response should be the same for a truly non-existent resource, for one that is assigned to a different tenant (non-existent for the current client), and if the tenant id is part of the request, then existing and non-existing tenant ids should also yield the same if the client is not authorized to them.
I understand this is somewhat against the purpose of 403, and there can be easy theoretical counter-arguments which can also be very valid from other perspectives, but not leaking any info is the most secure option.