Question 118193 in Mongodb Question posted in
The official documentation can be found here.

Mongodb – Is it better to use a 403 response or 404?

I have a restAPI which allows for users to submit data to be saved in my database. When data is submitted their userID will be grabbed from the request header and added to the document

In my collection (mongoDB) there is the normal _id field and a userID field, which references the user.

My question is in the scenario that a malicious user submits a PUT or DELETE request to a document that does not belong to them what is the best way to handle it.

  1. I pull the prediction from the DB just using the submitted _id, check the userID field against the requesting userID and issue a 403 response if they do not match.

  2. I query the database by both _id and userID, so it would not be found if the document does not belong to the requesting user. I would then issue a 404 response just as if they had submitted an id that does not exist.

Both choices achieve the same goal, which is to prevent a user from editing or deleting a resource that does not belong to them, but which is "better"?

Tags:

2

Answers


  1. 0

    404 is for "not found", which is clearly not the case.

    Use 403.

    Quoting from Wikipedia:

    HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication …

    Login or Signup to reply.
  2. 0

    I would return 403 if user A has permission to view a resource that belongs to user B (as they are already aware of the existence of this resource). Otherwise, I would return 404 for privacy reasons. This is in line with the RFC 9110 standard:

    An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search