Forbidden
Client Error (4xx)The 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. Unlike 401, providing different credentials will not help — the client simply does not have permission. The server may or may not explain the reason in the response body. This is used for access control and permission enforcement.
What is HTTP 403 Forbidden?
HTTP 403 Forbidden is a client error (4xx) status code. The 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. Unlike 401, providing different credentials will not help — the client simply does not have permission. The server may or may not explain the reason in the response body. This is used for access control and permission enforcement. Common causes include insufficient user permissions or role and ip address blocked or rate limited. To fix it, verify the user has the required role or permission.
Example Response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error": "You do not have permission to access this resource"} Common Causes
- • Insufficient user permissions or role
- • IP address blocked or rate limited
- • Resource restricted by access control list
- • Directory listing disabled on web server
- • CORS policy blocking the request
How to Fix
- 1. Verify the user has the required role or permission
- 2. Check IP allowlists and blocklists
- 3. Review server access control configuration (htaccess, nginx config)
- 4. For CORS issues, configure the server to allow the requesting origin
- 5. Contact the resource owner to request access
Frequently Asked Questions
Should I return 403 or 404 for resources the user cannot access?
Use 403 if you want to confirm the resource exists but deny access. Use 404 if you want to hide the resource's existence entirely (security through obscurity). The choice depends on your security requirements.
Can a 403 be caused by file permissions?
Yes. On a web server, if the server process does not have read permission for a file, it returns 403. Check file ownership and permissions (chmod, chown) on your server.
How is 403 different from 401?
401 means not authenticated — the client should provide credentials. 403 means authenticated but not authorized — the client's identity is known but they lack permission. Re-authenticating will not help with a 403.