Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow. If I were a webserver, I'd return 204 for that URL, just for shits and giggles.


Despite the URL using "200" and not "2xx", any status between 200-299 inclusive would flag the server as having unreliable status codes. https://w3c.github.io/webappsec-change-password-url/response...


I have my webserver return the /index.html status 200 for any non-existent path in /. Since I didn't want bots to be able to detect I was doing this by this method I set nginx to return a 404 instead just for that path.

    location /.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200 {
        return 404;
    }




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: