Geekflare
[gtranslate]
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Apache HTTP , Nginx and WordPress  |  Last updated: July 12, 2020
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Redirecting to 404 from 403

By

Redirect 403 HTTP status return code to 404

Why?

403 (forbidden) HTTP status code gives a clue about a correct path, and you don’t have permission to access it. This confirms file/folder exists and it’s restricted.

Thus, 403 allows the hacker to know more about your file system structure and room for security vulnerabilities.

It’s a good idea to redirect 403 return code to 404 (not found), so there is no room for a guess. This is often asked to implement in the payment industry or transactional application production system.

There are multiple ways to get this done and following I’ve explained doing in Apache HTTP, Nginx.

Note: take a backup of the necessary configuration file before modifying. And if possible, test in non-production first.

Apache HTTP

We will use ErrorDocument directive to achieve this

  • Create a file at DocumentRoot level which will be served at 404
  • Let’s name the file 404
  • Add the following in httpd.conf file
ErrorDocument 403 /404

Above, I am instructing Apache to serve /404 file whenever 403 occurred

  • Save the configuration file and restart Apache to test it

Nginx

Let’s use error_page directive to get this done

  • Create a file name called 404.html
  • Add the following in server section under Nginx configuration file
error_page 404 /404.html;
error_page 403 =404 /404.html;

Above, in the first line, Nginx will serve /404.html whenever file not found and the second line, /404.html will be served whenever requested resources return 403.

WordPress

You can use the Custom Error Pages plugin which allows you to setup a custom page for 401 and 403 status code.

I hope this helps you. If you are interested in learning Web Security then I would suggest checking out this course.

  • Chandan Kumar
    Author
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Thanks to our Sponsors
More great readings on Apache HTTP
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com
    Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder