Cliff Woolley wrote: > > Reverted. Ta. 401 and 500 are (or can be) slightly special cases. 401 because we're not sure the user can access the resource and shouldn't let him know it even exists without that surety. And 500 because we're not sure what went wrong, and if the config error were fixed it might deny access. Paranoia mode.
403 is one of those on-the-fence things; we know access is categorically denied, but should we tell the user since he can (presumably) never get it? You'll find proponents on boths sides, but most security people will plump for obscuring the resource's existence. Good work, though, Cliff, and fast. :-) -- #ken P-)} Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/ Author, developer, opinionist http://Apache-Server.Com/ "Millennium hand and shrimp!"
