<- All Comparisons

403 Forbidden vs 404 Not Found: When to Hide Resources

Use 403 for explicit access denial, or 404 to conceal resource existence when security policy requires reducing endpoint and object enumeration risk.

Last reviewed: February 20, 2026|Editorial standard: source-backed comparison guidance

Quick Decision

-Use 403 when the request is understood and the caller is not allowed to access an intentionally visible resource.
-Use 404 when the resource truly cannot be resolved or when your policy intentionally conceals whether it exists.
-Apply one concealment policy per endpoint class; avoid per-request switching that creates an enumeration oracle.

Key Differences

-403 is an explicit authorization denial signal; 404 can be true absence or intentional nondisclosure.
-403 supports permission-remediation workflows; concealed 404 prioritizes anti-enumeration risk reduction.
-403 triage starts with policy decision logs; 404 triage starts with identifier, route, tenant, and lifecycle checks.
-Inconsistent 403/404 behavior on the same resource class leaks existence patterns to attackers.

When To Use 403 Forbidden

-Resource existence is not sensitive for this endpoint class and explicit permission denial is acceptable.
-Caller identity is known and policy evaluation denies the action at the resolved target.
-Product and support workflows require transparent deny semantics for faster operator diagnosis.

When To Use 404 Not Found

-Identifier truly has no current representation in the target scope (tenant, region, or namespace).
-Threat model requires concealment of object existence for unauthorized callers.
-Endpoint class is vulnerable to ID enumeration and you enforce a documented concealment policy.

Step-by-Step Diagnosis

1Classify the endpoint as explicit-deny or concealed-existence and verify implementation matches that class.
2Test unauthorized and nonexistent IDs with the same method and compare status, body shape, and cache headers.
3Confirm internal telemetry distinguishes true-not-found from concealed-not-found even if public response is always 404.
4Run tenant-boundary and sequential-ID probes to ensure responses do not reveal existence by timing or payload variance.

Common Misclassifications

-Returning 403 on concealed endpoints, which confirms that the target exists.
-Returning 404 for authentication failures where 401 semantics and challenge behavior are required.
-Using mixed 403/404 logic across similar routes, causing policy drift and discovery side channels.

Response Examples

403 for explicit authorization denialhttp

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "forbidden",
  "message": "You do not have permission to access this resource.",
  "request_id": "req_2f3b9b4f"
}

404 concealment response for protected object IDshttp

HTTP/1.1 404 Not Found
Content-Type: application/json

{
  "error": "not_found",
  "message": "Resource was not found."
}

Pro Tip

-For anti-enumeration routes, make unauthorized-existing and nonexistent IDs indistinguishable externally, but log an internal reason code (`concealed_not_found` vs `true_not_found`) for incident response.

Frequently Asked Questions

Is returning 404 instead of 403 allowed by HTTP semantics?

Yes. RFC 9110 explicitly allows an origin server to return 404 instead of 403 when it wants to hide the current existence of a forbidden target resource.

How do we avoid leakage when using concealment 404?

Keep status, payload schema, and caching behavior consistent for unauthorized-existing and truly nonexistent objects, and avoid timing differences where possible.

Should concealed 404 replace internal diagnostics?

No. Concealment is an external response policy. Internal logs and traces should still record whether the event was a real not-found or an authorization-based concealment.

403 Forbidden

Open detail page

404 Not Found

Open detail page

Official References

Related Articles

404 Not Found vs 410 Gone: Missing vs Permanent Removal

Learn when to return 404 (missing or temporary absence) versus 410 (intentional permanent removal), including redirect and cache implications.

401 Unauthorized vs 403 Forbidden: Auth vs Access Denied

Fix 401 Unauthorized vs 403 Forbidden by separating authentication failures from authorization denials, then apply the right login or permission fix fast.

403 Forbidden vs 404 Not Found: When to Hide Resources | HTTP