Add latest changes from gitlab-org/gitlab@master

1 files changed, 4 insertions, 0 deletions

diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md
index c9cd7161354..700de9e6b6e 100644
--- a/doc/development/secure_coding_guidelines.md
+++ b/doc/development/secure_coding_guidelines.md
@@ -53,6 +53,10 @@ Each time you implement a new feature/endpoint, whether it is at UI, API or Grap
 
 Be careful to **also test [visibility levels](https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/doc/development/permissions.md#feature-specific-permissions)** and not only project access rights.
 
+The HTTP status code returned when an authorization check fails should generally be `404 Not Found` in order to avoid revealing information
+about whether or not the requested resource exists. `403 Forbidden` may be appropriate if you need to display a specific message to the user
+about why they cannot access the resource. If you are displaying a generic message such as "access denied", consider returning `404 Not Found` instead.
+
 Some example of well implemented access controls and tests:
 
 1. [example1](https://dev.gitlab.org/gitlab/gitlab-ee/-/merge_requests/710/diffs?diff_id=13750#af40ef0eaae3c1e018809e1d88086e32bccaca40_43_43)