403 Forbidden

Fault: Client

TL;DR

Server understood the request but refuses to authorize it.

The client does not have access rights to the content.

What HTTP 403 Forbidden Means

The client does not have access rights to the content.

Server understood the request but refuses to authorize it.

Common Causes

Insufficient permissions
IP address blocked
File permissions incorrect
Directory listing disabled

How to Fix It (For Visitors)

Contact administrator for access
Check if you have necessary permissions

How to Fix It (For Developers/Admins)

Check file/directory permissions (755 for directories, 644 for files)
Review .htaccess rules
Verify firewall/WAF settings
Check Nginx/Apache configuration

Returning a 403 Forbidden (Code Examples)

If you build APIs or web apps, here is how to send an HTTP 403 response and how to test for it:

Node.js (Express)

app.get('/resource', (req, res) => {
  res.status(403).json({ error: 'Forbidden' });
});

Python (Flask)

@app.route('/resource')
def resource():
    return jsonify(error='Forbidden'), 403

PHP

<?php
http_response_code(403);
header('Content-Type: application/json');
echo json_encode(['error' => 'Forbidden']);

Check the status with curl

curl -I https://example.com/resource
# Look for: HTTP/1.1 403 Forbidden

Frequently Asked Questions

What does HTTP 403 Forbidden mean?

Server understood the request but refuses to authorize it. In short: The client does not have access rights to the content.

Is 403 Forbidden a client or server error?

403 is a 4xx client-error code, so the request itself needs to change. The server is running normally and is rejecting the request as it was sent by the browser, app, or API client.

How do I fix a 403 Forbidden error?

Check file/directory permissions (755 for directories, 644 for files). Review .htaccess rules. Verify firewall/WAF settings.

Official Specification

The 403 Forbidden status code is defined in RFC 7231 Section 6.5.3.

View the IANA HTTP Status Code Registry →