Returning the wrong HTTP response code on purpose?

Has anyone ever thought about doing this?

Yes, there was actually a talk about exactly this at defcon 21 (video, slides).

Their conclusion was that working with response codes as offensive security can sometimes result in severely slowing down automatic scanners, non-working scanners, and a massive amount of false-positives or false-negatives (it will obviously do little to nothing for manual scans).

While security by obscurity should never be your only defense, it can be beneficial as defense in depth (another example: it is recommended to not broadcast version numbers of all used components).

On the other hand, a REST API should be as clean as possible, and replying with purposely wrong HTTP codes may be confusing for developers and legitimate clients (this is a bit less of a problem for browsers, where users don't actually see the codes). Because of this I wouldn't recommend it in your case, but it is still an interesting idea.


It won't actually slow down an attacker any appreciable amount, but will cause any future developers who work on your platform to be really annoyed at you. It may also cause certain nice features of your HTTP request libraries to not be so nice, as they're operating off of incorrect information.

This is a very weak form of security through obscurity. When designing a system like this, you should be thinking about slowing down an attacker by hundreds of years, not tens of minutes - otherwise you're still going to lose.


Rather than return a "401 Unauthorized," why not return e.g. "305 Use Proxy," i.e. purposely being confusing.

Yes it will confuse an attacker. But for a trained one, it might not be for more than two seconds flat. And status codes are not all that useful, mainly just when brute-forcing file names.

Say i have a valid key, and i can observe you returning 200-range codes for my authentication. If i change a bit in my key, and for every request you either return 305s, i will immediately think "Hmm. Seems like the dev might've messed up". If you return random codes, i'll know it was on purpose and i just ignore them.

the difficulty in reverse-engineering an iOS app will hopefully deter all but the most determined hackers

Yes it will, but since it only takes one to publish it, it's again just slowing it down..