diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py
--- a/rhodecode/lib/auth.py
+++ b/rhodecode/lib/auth.py
@@ -34,7 +34,7 @@ import traceback
 from functools import wraps
 
 import ipaddress
-from pyramid.httpexceptions import HTTPForbidden, HTTPFound
+from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
 from pylons.i18n.translation import _
 # NOTE(marcink): this has to be removed only after pyramid migration,
 # replace with _ = request.translate
@@ -1415,8 +1415,8 @@ class PermsDecorator(object):
                     h.route_path('login', _query={'came_from': came_from}))
 
             else:
-                # redirect with forbidden ret code
-                raise HTTPForbidden()
+                # redirect with 404 to prevent resource discovery
+                raise HTTPNotFound()
 
     def check_permissions(self, user):
         """Dummy function for overriding"""
diff --git a/rhodecode/tests/functional/test_admin_settings.py b/rhodecode/tests/functional/test_admin_settings.py
--- a/rhodecode/tests/functional/test_admin_settings.py
+++ b/rhodecode/tests/functional/test_admin_settings.py
@@ -462,7 +462,7 @@ class TestOpenSourceLicenses(object):
             '.panel-heading', 'Licenses of Third Party Packages')
 
     def test_forbidden_when_normal_user(self, autologin_regular_user):
-        self.app.get(self._get_url(), status=403)
+        self.app.get(self._get_url(), status=404)
 
 
 @pytest.mark.usefixtures('app')
@@ -475,7 +475,7 @@ class TestUserSessions(object):
         }[name]
 
     def test_forbidden_when_normal_user(self, autologin_regular_user):
-        self.app.get(self._get_url(), status=403)
+        self.app.get(self._get_url(), status=404)
 
     def test_show_sessions_page(self, autologin_user):
         response = self.app.get(self._get_url(), status=200)
@@ -502,7 +502,7 @@ class TestAdminSystemInfo(object):
         }[name]
 
     def test_forbidden_when_normal_user(self, autologin_regular_user):
-        self.app.get(self._get_url(), status=403)
+        self.app.get(self._get_url(), status=404)
 
     def test_system_info_page(self, autologin_user):
         response = self.app.get(self._get_url())
diff --git a/rhodecode/tests/functional/test_forks.py b/rhodecode/tests/functional/test_forks.py
--- a/rhodecode/tests/functional/test_forks.py
+++ b/rhodecode/tests/functional/test_forks.py
@@ -75,7 +75,7 @@ class _BaseTest(TestController):
         repo_name = self.REPO
         self.app.post(
             url(controller='forks', action='fork_create', repo_name=repo_name),
-            {'csrf_token': self.csrf_token}, status=403)
+            {'csrf_token': self.csrf_token}, status=404)
 
     def test_index_with_fork(self):
         self.log_user()
diff --git a/rhodecode/tests/functional/test_integrations.py b/rhodecode/tests/functional/test_integrations.py
--- a/rhodecode/tests/functional/test_integrations.py
+++ b/rhodecode/tests/functional/test_integrations.py
@@ -214,7 +214,7 @@ def _post_integration_test_helper(app, u
     checks if the redirect url is correct.
     """
 
-    app.post(url, params={}, status=403) # missing csrf check
+    app.post(url, params={}, status=403)  # missing csrf check
     response = app.post(url, params={'csrf_token': csrf_token})
     assert response.status_code == 200
     assert 'Errors exist' in response.body