Am 22.10.2010 16:55, schrieb Robin Getz: > I noticed that when getting a page which returns a ACL error (denied.txt) > > The HTTP status code: >> HTTP Status Code: HTTP/1.1 200 OK > > Doesn't it make sense to return a 404 on an ACL error? If you don't want > people to see it, tell them it doesn't exist... I don't think this is a good idea. Think of multiuser environments: how should someone be able to report an admin e.g. a script needs access to something if he thinks the error is on his side (e.g. URL typo or something) cause he get a 404? Sure, the problem is not a big one but debugging gets harder. I don't like the situation "404" may stand for "not found" and "no access". If I get a "200 OK" but nothing works, I will look at the page and see the "access denied" message, everything is clear to me. Maybe 403 would be a better choice, but "hiding" something with a 404 does not make sense (IMHO) cause it is simply misleading and may confuse without any real benefit regarding security. -- Andreas <http://blog.andreas-haerter.com> () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist