Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
HTTP 403
open-in-new
<h2 id="specifications">Specifications</h2> <p>HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.<a class="footnote-ref" id="fnref:1" href="#fn:1"><sup>1</sup></a> </p><p>Error 403: "The server understood the request, but is refusing to authorize it."<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a>: §15.5.4 </p><p>Error 401: "The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource."<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a>: §15.5.2 </p><p>The <a href="/facts/Apache_HTTP_Server/tcmWYYUq">Apache</a> web server returns 403 Forbidden in response to requests for <a href="/facts/URL_redirection/4o1p9l7C">URL</a><a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> paths that corresponded to <a href="/facts/File_system/FdPm90uc">file system</a> <a href="/facts/Directory_(computing)/VLtLcEXY">directories</a> when directory listings have been disabled in the server and there is no <a href="/facts/Webserver_directory_index/MxwmYmqt">Directory Index</a> directive to specify an existing file to be returned to the browser. Some administrators configure the <a href="/facts/Mod_proxy/7jAPevA5">Mod proxy</a> extension to Apache to block such requests and this will also return 403 Forbidden. Microsoft <a href="/facts/Internet_Information_Services/nqmfJr3T">IIS</a> responds in the same way when directory listings are denied in that server. In <a href="/facts/WebDAV/kwPgWnHD">WebDAV</a>, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header or issued a Depth header of infinity.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> </p> <h2 id="causes">Causes</h2> <p>A 403 status code can occur for the following reasons:<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> </p> <ul><li>Insufficient permissions: The most common reason for a 403 status code is that the user lacks the necessary permissions to access the requested resource. This can mean that the user is not logged in, has not provided valid credentials, or does not belong to the appropriate user group to access the resource.</li> <li>Authentication required: In some cases, the server requires authentication to access certain resources. If the user does not provide valid credentials or if the authentication fails, a 403 status code is returned.</li> <li>IP restrictions: The server may also restrict access to specific IP addresses or IP ranges. If the user's IP address is not included in the list of permitted addresses, a 403 status code is returned.</li> <li>Server configuration: The server's configuration can be set to prohibit access to certain files, directories, or areas of the website. This can be due to a misconfiguration or intentional restrictions imposed by the server administrator.</li> <li>Blocked by firewall or security software: A 403 status code can occur if a firewall or security software blocks access to the resource. This may happen due to security policies, malware detection, or other security measures.</li></ul> <h2 id="examples">Examples</h2> <p>Client request:<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> </p> GET /securedpage.php HTTP/1.1 Host: www.example.org <p>Server response:<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> </p> HTTP/1.1 403 Forbidden Content-Type: text/html <html> <head><title>403 Forbidden</title></head> <body> <h1>Forbidden</h1> <p>You don't have permission to access /securedpage.php on this server.</p> </body> </html> <h2 id="see-also">See also</h2> <ul> <li>Internet portal</li></ul> <ul><li><a href="/facts/List_of_HTTP_status_codes/nTtX2f6r">List of HTTP status codes</a></li> <li><a href="/facts/URL_redirection/4o1p9l7C">URL redirection</a></li></ul> <h2 id="notes">Notes</h2> <h2 id="external-links">External links</h2> <ul><li><a href="https://web.archive.org/web/20170401060503/http://webauth.stanford.edu/manual/mod/mod_proxy.html">Apache Module mod_proxy – Forward</a></li> <li><a href="https://web.archive.org/web/20100109052253/http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html">Working with SELinux Contexts Labeling files</a></li> <li>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>See #Substatus error codes for IIS for possible reasons of why a webserver may refuse to fulfill a request. <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>R. Fielding; M. Nottingham; J. Reschke, eds. (June 2022). HTTP Semantics. Internet Engineering Task Force. doi:10.17487/RFC9110. ISSN 2070-1721. STD 97. RFC 9110. Internet Standard 97. Obsoletes RFC 2818, 7230, 7231, 7232, 7233, 7235, 7538, 7615 and 7694. Updates RFC 3864. <a href="/wiki/Roy_Fielding" target="_blank">/wiki/Roy_Fielding</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>R. Fielding; M. Nottingham; J. Reschke, eds. (June 2022). HTTP Semantics. Internet Engineering Task Force. doi:10.17487/RFC9110. ISSN 2070-1721. STD 97. RFC 9110. Internet Standard 97. Obsoletes RFC 2818, 7230, 7231, 7232, 7233, 7235, 7538, 7615 and 7694. Updates RFC 3864. <a href="/wiki/Roy_Fielding" target="_blank">/wiki/Roy_Fielding</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)". IETF. June 2007. Archived from the original on March 3, 2016. Retrieved January 12, 2016. <a href="https://web.archive.org/web/20160303200436/http://www.webdav.org/specs/rfc4918.html#rfc.section.9.1.1" target="_blank">https://web.archive.org/web/20160303200436/http://www.webdav.org/specs/rfc4918.html#rfc.section.9.1.1</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)". IETF. June 2007. Archived from the original on March 3, 2016. Retrieved January 12, 2016. <a href="https://web.archive.org/web/20160303200436/http://www.webdav.org/specs/rfc4918.html#rfc.section.9.1.1" target="_blank">https://web.archive.org/web/20160303200436/http://www.webdav.org/specs/rfc4918.html#rfc.section.9.1.1</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>HTTP status code 403 How do I solve the problem with the 403 status code? <a href="https://http-statuscode.com/en/code/4XX/403#item-9" target="_blank">https://http-statuscode.com/en/code/4XX/403#item-9</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Example of "Client request" and "Server response" for HTTP status code 403 <a href="https://http-statuscode.com/en/code/4XX/403#item-15" target="_blank">https://http-statuscode.com/en/code/4XX/403#item-15</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Example of "Client request" and "Server response" for HTTP status code 403 <a href="https://http-statuscode.com/en/code/4XX/403#item-15" target="_blank">https://http-statuscode.com/en/code/4XX/403#item-15</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> </ol>