REST api error response: should be informative or not?
Question
I'm implementing a REST api and i'm in doubt about the response content in case of error. For instance, I use a jwt token for authentication. In case the client provides a wrong token, the server answers with a 401 status code with the following body
{
"status":"failed",
"details":"JWT token not valid"
}
In case the client doesn't provide the token, the server answers with a 401 status code with the following body
{
"status":"failed",
"details":"missing JWT token"
}
And so on.
These HTTP answers are informative, and they are useful when debugging. The problem is that an attacker now knows that the API uses a token, instead of basic authentication or other kind of authentication system. For this reason, now I'm considering to answer only with the status code, and an empty body. This HTTP answer is not informative. An attacker doesn't know what's going on, and the same happens to me when debugging. My question is: what is the best practice? Informative content or not? Is it necessary to create security with obscurity or not?
Thank you
1 answers
solution1
0 ACCPTED 2019-01-11 12:30:32
If you return 401, the client will see what auth schemes are supported anyway:
"The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource." -- https://greenbytes.de/tech/webdav/rfc7235.html#status.401
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.