this post was submitted on 10 Apr 2026
157 points (91.1% liked)

Programmer Humor

31403 readers
816 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
157
The mist of the www (feddit.org)
submitted 1 month ago by NichEherVielleicht@feddit.org to c/programmer_humor@programming.dev
92 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] waigl@lemmy.world 16 points 1 month ago (3 children)

Any further "helpful" information in that error message would be a security issue.

[–] smeg@feddit.uk 3 points 1 month ago (2 children)

I am annoyed by (but respect) APIs that take it a level further and don't even give you a 403 to say you're unauthorised, they just give you a 404 because anything else would acknowledge that the resource you requested actually existed

[–] wheezy@lemmy.ml 8 points 1 month ago (2 children)

Wouldn't unauthorized only be meant for AFTER a login is successful?

Like, the user should have to have an active session first. Maybe you're just talking about that case though.

[–] smeg@feddit.uk 1 points 1 month ago

Maybe I meant unauthenticated. What is this, mandatory cybersecurity education!?

[–] bountygiver@lemmy.ml 0 points 1 month ago (1 children)

unauthorized (403) is still valid for unlogged in as you can permit anonymous access to certain resources.

unauthenticated (401) is for when you should be redirecting the user to the login page

[–] wheezy@lemmy.ml 1 points 1 month ago* (last edited 1 month ago)

Thanks. I think I might have been misreading these in my head. Dyslexia is a dickhead. The number codes really helped.

[–] Pika@sh.itjust.works 6 points 1 month ago* (last edited 1 month ago) (2 children)

I don't respect them because most instances a 403 is more than adequate for your security. The only time I agree with having a 404 over a 403 would be file-specific pathing, but realistically the entire file directory should be a 403 instead of a 404, And then if the user is authorized to access the resource(but it isn't there), then it gives a 404.

[–] qqq@lemmy.world 1 points 1 month ago

Yea, it doesn't matter too much in most instances, but there are times when it might, especially if the URL itself has some meaning embedded in it. For example if part of the path is a SHA sum of some content, which is fairly common, it might be bad to allow someone to determine if that resource exists

[–] Lifter@discuss.tchncs.de 1 points 1 month ago (1 children)

But if there is no resource, how can the system know whether they are authorized? 403 it is.

[–] Pika@sh.itjust.works 1 points 1 month ago* (last edited 1 month ago)

Whether you respond as a 404 or a 403 would be dependent on whether or not the user who is logged in has the authorization to read the previous directory.

A site administrator, for example, would have the authority to read the previous directory, which means that the site administrator would know whether or not the resource existed or not(as the previous directory would list it) so in which case a 404 would be proper. However, a user who doesn't have authority to read the previous directory should not have the ability to know whether or not it exists. so a 404 would not be proper here because the proper one would be a 403 because it's inherited from the previous directory.

edit: changed traverse to read, as traversal doesn't mean you can see what else is there.

[–] gibson@sopuli.xyz 2 points 1 month ago

While true most of these websites expose valid usernames in other places

[–] Xavienth@lemmygrad.ml 2 points 1 month ago

Couldn't you just try and register the username to see if it's valid?