Hacker News new | past | comments | ask | show | jobs | submit login

Change the default meaning of 403? I don't think that's a good idea. When a user needs to be logged in to do something and they aren't, you show them 403. When access is restricted to people outside a network, they see 403. It'll be hard to force a new behaviour onto the existing web, easier to add a new HTTP code.



My understanding is that the server should respond with 401 Unauthorized when someone is attempting to access a resource that requires authentication. What is the case for using 403 instead?


OK, 401 makes more sense in that context. But another 403 case would be "the authorized user lacks permission to open resource."


When they have authenticated (logged on), but they still do not have access to that particular resource (but may have access to others).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: