So I’ve been discussing the whole error message thing with two guys on the IIS team at Microsoft. Their opinion is that 403 would in fact be the most appropriate error code to issue. Their reasoning for using 404 is that “the client has no need to know” what the error is – simply that there has been an error. They say that it’s a security choice to return 404 as it gives the client “the least amount of information”.

I can see where they are coming from – if someone asks you where your safe is, you don’t tell them. However, if you’re going to be an HTTP server you have to play by the HTTP rules. I don’t agree that it’s none of the client’s business what the error is – it’s not a web server’s job to play judge and jury.

It’s slightly frustrating in that I can see that there’s probably little middle ground. You either have to be aggressively secure (or attempt that stance) or be completely transparent. This is one of those rare cases when the need for security gets in the way of those legitimately using a system. So it’s more ‘boooo!’ to the hackers than ‘boooo!’ to Microsoft. But I still don’t like it.

Here endeth my grumble.