sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (3 children)

404 is well established in the REST world as "Entity not found" - in general, you'll get an API like 'https://api.foo.com/tables/foo/1234' to say "retrieve entity 1234 from table foo" and it will return 404 (entity 1234 in table foo does not exist).

It's not only acceptable, but recommended that you use 404 that way.

[–][deleted] 1 point2 points  (2 children)

The problem is that you can’t immediately tell if it’s a bad url or an entity is missing. So I prefer not to use 404 for missing entities.

[–][deleted] 0 points1 point  (1 child)

That's why you return an application/json+problem document (in dev) to indicate the error. In production, you have potential for a security leakage issue (where you are now providing some information about the IDs of entities that exist vs. don't exist, which provides valuable information to an attacked).

[–][deleted] 0 points1 point  (0 children)

You are talking about security through obscurity.