Skip to content

403 Forbidden

Description

The 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. Unlike a 401 Unauthorized response, authenticating will make no difference. The client does not have the necessary permissions to access the resource.

This status code is commonly used when: - A user is authenticated but lacks the required permissions for the resource - Access to a resource is blocked for policy reasons - The resource exists but is deliberately hidden from the client - IP-based restrictions prevent access to the resource - Rate limiting or quota restrictions have been exceeded

The 403 Forbidden status code differs from 401 Unauthorized in that authentication is not the issue—the client has identified itself correctly, but it does not have permission to perform the requested action or access the requested resource.

Syntax

The server responds with a 403 Forbidden status and typically includes an explanation:

HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: [length in bytes]

{
  "error": "Forbidden",
  "message": "You do not have permission to access this resource"
}

Examples

Insufficient Permissions Example

An authenticated user attempts to access a resource they don't have permission to view:

Client Request: 

GET /admin/settings HTTP/1.1
Host: app.example.com
Cookie: session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Server Response: 

HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 143

{
  "error": "Forbidden",
  "message": "You do not have administrative privileges required to access this resource",
  "required_role": "admin"
}

Geolocation Restriction Example

A client attempts to access content that is restricted in their geographic region:

Client Request: 

GET /content/video/12345 HTTP/1.1
Host: streaming.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Server Response: 

HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 172

{
  "error": "Forbidden",
  "message": "This content is not available in your region due to licensing restrictions",
  "region_detected": "DE",
  "available_in": ["US", "CA", "UK"]
}

Rate Limiting Example

A client exceeds the allowed number of requests to an API:

Client Request: 

GET /api/data HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Server Response: 

HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 196
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1623761445

{
  "error": "Forbidden",
  "message": "Rate limit exceeded",
  "details": "You have exceeded the 100 requests per hour allowed by your plan",
  "upgrade_url": "https://api.example.com/pricing"
}

Summary

The 403 Forbidden status code is a crucial component of access control in web applications and APIs. It clearly communicates that the server understands what the client is asking for, but has made a deliberate decision to deny access. Unlike authentication issues (which would result in a 401 Unauthorized), a 403 Forbidden response indicates that the client's identity is known but they simply don't have the necessary permissions or rights to access the requested resource. This status code helps maintain security boundaries and enforce access control policies across web applications.