I start typing in URLs that aren’t linked anywhere on the site, then I’m accessing stuff the site hasn’t explicitly indicated I have access to.
Doesn’t work like that. With the policy you describe, anyone who ever sees a “404” error is a criminal.
I don’t have to publish everything I am willing to offer. You are free to ask for something I may or may not have. I get to decide how to respond to your request.
To use your analogy, I can walk up to your door and request a glass of water. You’ve never explicitly offered a glass of water to anyone; I’m still allowed to ask. If you dont want me to have your water, you can say “No” or you can ignore me.
When you go ahead and give me a glass of water, you don’t get to claim I stole it from you. It is not theft to ask.
You have to make some sort of effort to have your web server limit my access, and I have to make some sort of effort to convince your webserver to bypass those restrictions before you can claim I am exceeding my authorization.
Doesn’t work like that. With the policy you describe, anyone who ever sees a “404” error is a criminal.
I don’t have to publish everything I am willing to offer. You are free to ask for something I may or may not have. I get to decide how to respond to your request.
To use your analogy, I can walk up to your door and request a glass of water. You’ve never explicitly offered a glass of water to anyone; I’m still allowed to ask. If you dont want me to have your water, you can say “No” or you can ignore me.
When you go ahead and give me a glass of water, you don’t get to claim I stole it from you. It is not theft to ask.
You have to make some sort of effort to have your web server limit my access, and I have to make some sort of effort to convince your webserver to bypass those restrictions before you can claim I am exceeding my authorization.