so we have HTTP status 404 for not found and 403 for forbidden
but we commonly need to hide the existence of a resource for unauthorized requests as well...
do we need a combined status code? I quickly looked through the list of status codes and I don't really see a good alternative
@eloy The general recommendation is to just use 404 for that, making it deliberately ambiguous - because any HTTP code that reveals that something is being intentionally hidden (as opposed to not existing) would defeat the point of hiding its existence
@joepie91 but defining a new status code to express ambiguity would be more correct for sites that need this for security reasons, the rest can keep using 404.
if you use that new status code also as a replacement for 404 I don't see a security problem
@eloy Okay, but putting aside abstract notions of 'correct' for a moment, how would this technically improve things?
Because as far as I can tell, you'd just be introducing a new HTTP status code that everyone now needs to *also* support and treat like a 404, without adding any new functionality (because it's still just "not found"), so then what is the practical purpose of the new ambiguous status code?
@eloy Okay, but how isn't this already the case for 404 errors today?
@joepie91 it is the case. But 404 doesn't need to lose its original meaning of a pure not found status code. You could argue it's a lost cause by now. But it doesn't need to if security sensitive sites switch to a new code.
@eloy I think this is unrealistic, to be honest - in the time I have used the web (and that's a *long* time), 404 *has never* been a "pure not found" status code. Practically nobody makes the distinction between 404 and 410, for example, and given that you often also want to hide *whether* you are hiding resources, putting this under 404 (instead of using a dedicated status code) would be the correct thing to do.
Keep in mind that the purpose of technology is to solve people's problems, not the other way around. Something might be the 'correct' thing in a hypothetical vacuum, but if it doesn't actually match how people want or need to use it, then it's not actually 'correct' for any meaningful interpretation of the term.
@joepie91 > and given that you often also want to hide *whether* you are hiding resources, putting this under 404
that's a good point, but only applies to proprietary software :P
@joepie91 expressing more information in 3 numbers instead of having to explain in text it might also be an authorization issue