Skip to content
Home » Web » Apache » Return "404 Not Found" Instead of "403 Forbidden"

Return "404 Not Found" Instead of "403 Forbidden"

Just like I said in the post How to Prevent Visitors From Accessing Non-Critical Directories.

Another issue that we should be aware of, is the return code "403 Forbidden" itself. Malicious sniffers know 403 means there's an existent, sensitive and maybe important directory in your server. They may try harder to break the security.

The best practice is telling malicious visitors the directories that you're looking for do not exist (404 Not Found), you should go somewhere else. By this technique, we can cover ourselves more safely.

Solution

The solution is quite simple. Just use a directive called RedirectMatch to redirect the matched patterns. For example, we'd like to redirect the URL path /status and underlying files to 404 Not Found:

[root@test ~]# vi /etc/httpd/conf/httpd.conf
...
RedirectMatch 404 ^/status(/?|/.*)$

One more thing, this kind of directive could be likely to degrade the performance on web servers. You should be aware of performance issues.

Leave a Reply

Your email address will not be published. Required fields are marked *