403 Forbidden

HTTP response status code 403 Forbidden is a client error that is returned by the server to indicate that the client does not have access to the requested resource, and does not offer an Authentication scheme by which access can be granted.

Usage

When the 403 Forbidden error message is received, the client does not have sufficient permissions to access the resource. This is a common error and in a very general way, tells the client that the request is not allowed. This is different from the more specific status, 401 Unauthorized, because the error will persist, even if the client re-authenticates and re-submits the HTTP request. Similarly, the more specific 405 Method Not Allowed status is used to tell the client that the resource is available, but their specific HTTP request is not permitted.

Note

Search engines like Google will not index a URL with 403 Forbidden response status, and consequently, URLs that have been indexed in the past but are now returning this HTTP status code will be removed from the search results.

Example

In the example, the client requests a resource and the server responds with the 403 Forbidden status to indicate that the client does not have access to this protected resource.

Request

GET /tech-news/confidential.pdf HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 403 Forbidden

Code references

.NET

HttpStatusCode.Forbidden

Rust

http::StatusCode::FORBIDDEN

Rails

:forbidden

Go

http.StatusForbidden

Symfony

Response::HTTP_FORBIDDEN

Python3.5+

http.HTTPStatus.FORBIDDEN

Java

java.net.HttpURLConnection.HTTP_FORBIDDEN

Apache HttpComponents Core

org.apache.hc.core5.http.HttpStatus.SC_FORBIDDEN

Angular

@angular/common/http/HttpStatusCode.Forbidden

Takeaway

The 403 Forbidden status code is a widely used and rather non-specific response to tell a client that the HTTP request is not allowed.

See also

Last updated: August 2, 2023