HTTP 403 Forbidden
Access denied: the server understood the request and deliberately refuses to fulfil it.
What HTTP 403 means
HTTP 403 Forbidden means the server knows what you asked for and refuses. Unlike 401, authenticating (again) will not help — the refusal is about permissions or policy, not identity.
The reasons range from file-system permissions on the server, to geo/IP blocks, to a web application firewall deciding the request looks malicious. Some sites also return 403 instead of 404 to hide whether a resource exists.
Common causes of 403 errors
- Insufficient rights: the account lacks the role or the file lacks read permissions (chmod/owner on the server).
- IP address, country or user-agent blocked by the server, CDN or WAF rule.
- Directory listing requested where autoindex is disabled (no index.html in the folder).
- Hotlink protection rejecting requests with a foreign Referer.
- Cloudflare or another WAF challenge failed — automated traffic often sees 403 here.
How to fix it as a user
- Verify you are logged into an account that actually has access.
- Try without a VPN or proxy — your exit IP may be blocked.
- If you own the content, check file permissions and .htaccess/WAF rules rather than retrying.
How to fix it as a developer
- Check file ownership and permissions (e.g. 644 files / 755 directories for typical web servers).
- Review deny rules: .htaccess, nginx deny directives, security plugins, WAF managed rules.
- Ensure an index document exists or explicitly enable/disable directory listing as intended.
- For APIs, return 403 with a machine-readable reason so clients can distinguish policy from auth failures.
Example response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error":"forbidden","reason":"account lacks role: admin"}FAQ
What is the difference between 403 and 401?
401 asks you to authenticate; 403 says authentication will not change the answer — you simply are not allowed.
Why does a bot or script get 403 while a browser works?
A WAF or bot-protection layer is filtering non-browser traffic. Identify yourself properly or use the site's official API.
Can a 403 be returned instead of 404?
Yes — some servers hide the existence of resources by answering 403 (or 404) uniformly for anything unauthorized.