OK, perhaps the best example is what I mean.
Imagine a forum web system where user authentication is performed using some external method that the system knows about.
Now, say, for example, the user enters a URL for a stream that they don’t have access to. To do this, I must return 403 (Forbidden) so that the user knows that they should try a different authentication method or 404, not letting them know that there is something there to access.
Assuming I return 403, should I also return 403 when they access the URL for a topic that does not yet exist?
Edit: The above example was rather an example of something that is IRL.
Another example, let's say I'm showing something like
/adminnotes/user
if there are administrator notes about the user. Now, returning 403, the user finds out that he is talking about something. 404 would not say anything.
But, if I were to return 403 - I could return it for adminnotes / * - which would solve this problem.
Edit 2: Another example. Soft deleted questions here return 404. However, with proper authentication and access you can still see them (I suppose)
source
share