406 vs 404 — Negotiation Failure

A request with unsatisfiable proactive negotiation headers (Accept, Accept-Language, Accept-Encoding, Accept-Charset) reaches negotiation evaluation for an existing target. The server treats the target as a resource with candidate representations, finds none acceptable, declines to send a default, and returns 406 Not Acceptable. A nonexistent target terminates at 404 before reaching negotiation semantics.

• What leaks: 406 confirms the server advanced past resource lookup into representation negotiation. This is the weakest Cache Probing vector — 406 is permitted but not mandated for negotiation failure (MAY-like). It does not prove a selected representation existed, only that negotiation was attempted. Accept provides the cleanest trigger path. Accept-Language is secondary. Accept-Charset (deprecated) and Accept-Encoding (biased toward identity fallback) are poor canonical triggers. Unlike range-based vectors, 406 is not retrieval-specific — it applies to any method whose response content is subject to proactive negotiation.