Accessing a resource where the user doesn't have access should return 404

[jhnns]

It's best practice to not leak the existence of a resource by returning 403 when the resource has been found. It's better to just return 404 so that you can't guess ids. The testing tool should either enforce this or make it configurable if it's actually desired.

[niklashaug]

Makes sense, thanks for the suggestion! I think for the start it should just be configurable but not enforced since some applications may opt out of this. From a semantic point of view throwing a Not Found instead of a Forbidden response wouldn't be correct so I see the point of applications that still send a 403 which is the correct status in that case.

Implementation-wise, it could be required that the server being tested by the tool needs to send extra information in the response to let the tool know that this was just a "fake 404" and actually means Forbidden. This could be required depending on how #30 can be implemented (which is basically about handling side effects of requests that delete resources – which is detected by a 404 status code and would conflict with this fake 404).

Of course this extra information should only be sent during testing, but that would mean that consumers of the tool need to enhance the response with this extra information during testing – which is probably not ideal.