diff --git a/atst/app.py b/atst/app.py
index c86ab9bf..d095a8bf 100644
--- a/atst/app.py
+++ b/atst/app.py
@@ -15,6 +15,7 @@ from atst.routes import bp
 from atst.routes.workspaces import bp as workspace_routes
 from atst.routes.requests import requests_bp
 from atst.routes.dev import bp as dev_routes
+from atst.routes.errors import make_error_pages
 from atst.domain.authnid.crl.validator import Validator
 from atst.domain.auth import apply_authentication
 
@@ -45,6 +46,7 @@ def make_app(config):
     Session(app)
     assets_environment.init_app(app)
 
+    make_error_pages(app)
     app.register_blueprint(bp)
     app.register_blueprint(workspace_routes)
     app.register_blueprint(requests_bp)
diff --git a/atst/routes/__init__.py b/atst/routes/__init__.py
index 1884d28f..4e346fa9 100644
--- a/atst/routes/__init__.py
+++ b/atst/routes/__init__.py
@@ -1,4 +1,4 @@
-from flask import Blueprint, render_template, g, redirect, session, url_for, request
+from flask import Blueprint, abort, render_template, g, redirect, session, url_for, request
 from flask import current_app as app
 import pendulum
 
@@ -39,15 +39,7 @@ def login_redirect():
 
         return redirect(url_for("atst.home"))
     else:
-        return redirect(url_for("atst.unauthorized"))
-
-
-@bp.route("/unauthorized")
-def unauthorized():
-    template = render_template('unauthorized.html')
-    response = app.make_response(template)
-    response.status_code = 401
-    return response
+        return abort(401)
 
 
 def _is_valid_certificate(request):
diff --git a/atst/routes/errors.py b/atst/routes/errors.py
new file mode 100644
index 00000000..261c654c
--- /dev/null
+++ b/atst/routes/errors.py
@@ -0,0 +1,13 @@
+from flask import render_template
+
+
+def make_error_pages(app):
+    @app.errorhandler(404)
+    def not_found(e):
+        return render_template("not_found.html"), 404
+
+
+    @app.errorhandler(401)
+    def unauthorized(e):
+        return render_template('unauthorized.html'), 401
+
diff --git a/atst/routes/requests/requests_form.py b/atst/routes/requests/requests_form.py
index 391d49ed..688a4ce0 100644
--- a/atst/routes/requests/requests_form.py
+++ b/atst/routes/requests/requests_form.py
@@ -1,4 +1,4 @@
-from flask import g, redirect, render_template, url_for, request as http_request
+from flask import abort, g, redirect, render_template, url_for, request as http_request
 
 from . import requests_bp
 from atst.domain.requests import Requests
@@ -27,7 +27,7 @@ def requests_form_new(screen):
 @requests_bp.route("/requests/new/<int:screen>/<string:request_id>", methods=["GET"])
 def requests_form_update(screen=1, request_id=None):
     if request_id and not _can_view_request(request_id):
-        return redirect(url_for("atst.unauthorized"))
+        abort(404)
 
     request = Requests.get(request_id) if request_id is not None else None
     jedi_flow = JEDIRequestFlow(screen, request, request_id=request_id)
diff --git a/templates/not_found.html b/templates/not_found.html
new file mode 100644
index 00000000..59cc223f
--- /dev/null
+++ b/templates/not_found.html
@@ -0,0 +1,12 @@
+{% extends "error_base.html" %}
+
+{% block content %}
+
+<main class="usa-section usa-content">
+
+<h1>Not Found</h1>
+
+</main>
+
+{% endblock %}
+
diff --git a/tests/routes/test_request_new.py b/tests/routes/test_request_new.py
index a7030e6f..1a722ca4 100644
--- a/tests/routes/test_request_new.py
+++ b/tests/routes/test_request_new.py
@@ -49,7 +49,7 @@ def test_non_owner_cannot_view_request(client, user_session):
 
     response = client.get("/requests/new/1/{}".format(request.id), follow_redirects=True)
 
-    assert response.status_code == 401
+    assert response.status_code == 404
 
 
 def test_ccpo_can_view_request(client, user_session):
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 69cb3166..7e2b483d 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -27,8 +27,7 @@ def test_successful_login_redirect(client, monkeypatch):
 def test_unsuccessful_login_redirect(client, monkeypatch):
     resp = client.get("/login-redirect")
 
-    assert resp.status_code == 302
-    assert "unauthorized" in resp.headers["Location"]
+    assert resp.status_code == 401
     assert "user_id" not in session
 
 
@@ -55,7 +54,6 @@ def test_routes_are_protected(client, app):
 
 
 UNPROTECTED_ROUTES = ["/", "/login-dev", "/login-redirect", "/unauthorized"]
-
 # this implicitly relies on the test config and test CRL in tests/fixtures/crl
 
 
@@ -72,8 +70,7 @@ def test_crl_validation_on_login(client):
             "HTTP_X_SSL_CLIENT_CERT": bad_cert.decode(),
         },
     )
-    assert resp.status_code == 302
-    assert "unauthorized" in resp.headers["Location"]
+    assert resp.status_code == 401
     assert "user_id" not in session
 
     # good cert is not on the test CRL, passes