tzssangglass commented on PR #7497: URL: https://github.com/apache/apisix/pull/7497#issuecomment-1189719577
401 is no authentication information or wrong authentication information, then the client can modify the authentication information to retry; 403 is the client with the correct authentication information, but the server believes that the authentication information corresponding to the user does not have the corresponding resource access rights, so there is no need to retry before obtaining the relevant rights from the administrator. The logic of using 401 instead of 403 here is actually to hide the message. It is possible for an attacker to determine whether the account password is correct by judging the status code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
