Choosing between HTTP 403 and 404

How to choose between an HTTP 403 and a 404 error?

I’m expanding a recent post by Christos Gkoros where he asked what error code you’d return in two situations:

• When the requested resource doesn’t exist.
• When the consumer doesn’t have permission to access the resource.

My answer was “It depends.” I wrote that if the collection or resource isn’t considered public information, e.g. a private profile, then the client should receive a 404. If, on the other hand, the collection is considered public information, then the client should receive a 403.

Choosing between HTTP 403 and 404. The choice of returning an HTTP 403 or a 404 depends on the permission to access a resource, if it’s public or private, and if it exists.

I didn’t come up with this answer. I was simply translating the information available on RFC 7231 § 6.5.3. This section explains how the HTTP 403 works and also mentions that:

An origin server that wishes to ‘hide’ the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Section 6.5.4 of the same RFC mentions that:

The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

So, the RFC suggests you should use 404 whenever you wish to hide the requested resource’s existence, even when the consumer doesn’t have access to it.