If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
This indicates we should either indicate why a request is forbidden or return a 404
To quote from the W3 HTTP1.1 spec (https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4):
This indicates we should either indicate why a request is forbidden or return a 404