I think your colleague is right, but I think it is a small security issue because you may can evaluate which routes exist but not seem like a big issue to me. At the end both works if you design your Frontend in a way that fits.
Independent consultant, developer, content creator, mentor with 10+ years experience in making things happen.
Check out my coding channel: https://www.youtube.com/@rytis-codes
My thoughts exactly on the security. Even though security through obscurity is not a good practice, if we return 401 for all unauthenticated requests, then we're hiding which routes exist if the user is not authenticated.
I think your colleague is right, but I think it is a small security issue because you may can evaluate which routes exist but not seem like a big issue to me. At the end both works if you design your Frontend in a way that fits.
My thoughts exactly on the security. Even though security through obscurity is not a good practice, if we return 401 for all unauthenticated requests, then we're hiding which routes exist if the user is not authenticated.
Yeah on a security aspect it makes totally sense.