Support that instead of a redirection an unauthorized user instead sees a 404 page. The redirect tells that "something is there" which might be a security issue. Showing a 404 (like GitHub does too), intentionally not a 401, is better because that would again tell about the existence of the item.
Support that instead of a redirection an unauthorized user instead sees a 404 page. The redirect tells that "something is there" which might be a security issue. Showing a 404 (like GitHub does too), intentionally not a 401, is better because that would again tell about the existence of the item.