I've just seen the documentation of an api I have to communicate with, and facepalmed when I have seen that some actions return 404 on success. And more bizarre things... Just wanted to make it worse for me, didn't you?
Once at it. Why don't you glue spikes onto my keys?
Ffs

404: you have successfully accessed a none existing URL?

Well heck, isn't this api a cavalcade of random fuckery. Some of those actions returning 404 do not actually return 404, but 302 redirecting to another resource that returns 404. But the cookie I want is only returned with the 302 response, so I'll need to disable automatic redirect following for some of them...
Amazing...

@StefanH Havent seen that video.

But my response to that guy would be:

What is the best way of defeating those script kiddies? Acting like one? -.-

Wouldn't it be better to implement some strong authentication and then follow conventions so that the api is easy to communicate with?

@dozingncoding @StefanH I recommend the talk. He wasn't talking about APIs per se, he was explaining that browsers do stupid stuff because they have to be resilient, and consequently there are a bunch of codes that they ignore that attack scripts don't, so you can send the correct data after an incorrect code and the browser will respond fine while simultaneously breaking the attack script.

I don't remember an API specific aspect of the talk. There was, I think, something about implementing logic on the server so it didn't always respond inappropriately, and only to known automated attack patterns. That would leave the SEO bots clear.

The API here, just sounds like it's doing strange things for the sake of terrible design, though.

@StefanH I think you're taking the idea more seriously than the guy who gave it did. It's a security conference talk. A lot of those are intended to show off cool techniques, not necessarily be used in real life. If I remember correctly, he makes some recommendations for better things to do as well.

@dozingncoding See my previous reply. I'm not advocating for it either, even if I'm doing a good job of looking like it. I was merely explaining the basic ideas presented in the talk as I understood them because you said you hadn't seen the video and I thought it would bring clarity to the discussion since it had been brought up. Instead I think I managed to be more of a distraction, for which I apologise.

sorry @powerfulparadox, I deleted my last post arguing against such practices as soon as I read your last post, understood your you are not defending that, and seen my comment was no longer relevant.

You don't have to apologize.

If someone hits my APIs looking for a record that doesn't exist, I will return json explaining that along with status:404, because that's what it's for.

If, of course, they are allowed to see it.

Also, I don't use sequential IDs because that's just asking for scraping.