We recently upgraded from 9.x to 12.x. Previously when a user would enter incorrect credentials, the system would tell them so. Now when they enter incorrect credentials, the system presents them with a 403 http response instead of a 401. Our community is set up to require all users to log in with valid credentials.
I broached this with our IT, and our Firewall will block 403 errors. Our IT response is below. What can be done to correct this?
----
Speaking exclusively for the issue where the user actually entered the wrong credentials for login, the root problem is that the application is responding with a 403 HTTP Response status code, when it actually should respond with a 401 HTTP Response status code.
Let me explain. This is the difference between 401 and 403 HTTP Response status codes, and why correcting the application behavior is important to resolve the issue where the user actually entered the wrong credentials for login:
Reference RFC 9110 (HTTP Semantics) https://httpwg.org/specs/rfc9110.html#status.401
401 Unauthenticated (Unauthorized): Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response.
403 Forbidden: The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401 Unauthorized, the client's identity is known to the server.
So, as you can observe from the RFC above, when the user enters the wrong credentials for login in, he/she should receive a 401, as the RFC specifies, and not a 403 as is happening here. Correcting this bad RFC implementation on the community application is particularly important, because 401 response is not blocked by the WAF, while 403 is indeed blocked. We want by all means (feasible) to not allow 403 responses back to the client, in order to avoid the Risk on Attackers taking advantage of the web servers' error responses to gain information on the underlying infrastructure, and therefore why it is a best security practice for the WAF policy most remain in place (403 provides far more information than a 401 -for malicious actors-).
Then the question is: can anyone correct the application behavior, so that it responds with a 401 HTTP Response status code (and not a 403) when the user enters the wrong credentials at login ???