403 Forbidden vs 401 Réponses HTTP non autorisées

Mots clés : http-headershttp-status-code-403http-status-codeshttp-status-code-401http-response-codeshttp-headers

meilleur 1 Réponses 403 Forbidden vs 401 Réponses HTTP non autorisées

vote vote

93

   +-----------------------   | RESOURCE EXISTS ? (if private it is often checked AFTER auth check)   +-----------------------     |       |  NO |       v YES     v      +-----------------------    404     | IS LOGGED-IN ? (authenticated, aka user session)    or      +-----------------------    401        |              |    403     NO |              | YES    3xx        v              v               401            +-----------------------        (404 no reveal)       | CAN ACCESS RESOURCE ? (permission, authorized, ...)               or             +-----------------------              redirect          |            |              to login       NO |            | YES                                |            |                                v            v                                403          OK 200, redirect, ...                       (or 404: no reveal)                       (or 404: resource does not exist if private)                       (or 3xx: redirection) 

Questions similaires