不要忘记 404 在技术上也可以泄露信息。例如,您可以分辨出谁没有 adminnotes。根据具体情况,这可能与表明资源确实存在一样糟糕。
在我看来,错误不应该说谎。如果您给出 404,则应该始终是资源不存在的情况。
如果您正在处理敏感信息,那么您总是可以说用户没有对该资源的权限。这不一定要求资源存在。客户端甚至可能无权知道资源是否存在。因此,您需要为 /adminnotes/ 的任何组合提供权限被拒绝错误。
也就是说,官方规范似乎不同意,这是官方 rfc 关于http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html错误的说法:
10.4.4 403 Forbidden 服务器理解请求,但拒绝执行。授权将无济于事,并且不应重复请求。如果请求方法不是 HEAD 并且服务器希望公开请求未完成的原因,它应该在实体中描述拒绝的原因。如果服务器不希望向客户端提供此信息,则可以使用状态代码 404(未找到)来代替。
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
I'm no expert, but I think it's crappy to give a "not found", when a resource may exist. I'd prefer a "forbidden", without a guarantee that the resource exists, implying that you would need to authenticate somehow in order to find out.