403 403 Forbidden
The client is authenticated but does not have permission to access the resource.
What Is This?
The HTTP 403 Forbidden status code indicates that the client is authenticated (they proved who they are) but does not have permission to access the requested resource. Unlike 401, authentication is not the issue — authorization is. The server understood the request but refuses to fulfill it due to insufficient permissions, IP restrictions, or other access control policies.
Common Causes & Solutions
Common Cause
User does not have the required role (e.g., non-admin accessing admin endpoint)
Common Cause
IP address or geographic location blocked
Common Cause
Resource access restricted by time, referral policy, or other condition
Common Cause
Directory listing disabled and no index file exists
Implement role-based access control
Check user permissions on every protected endpoint and return 403 when the user lacks the required role.
// Express.js RBAC middleware
function requireRole(...roles) {
return (req, res, next) => {
if (!req.user || !roles.includes(req.user.role)) {
return res.status(403).json({
error: 'Forbidden',
message: 'You do not have permission to access this resource'
})
}
next()
}
}
app.delete('/api/users/:id', requireRole('admin'), (req, res) => {
// Only admins can delete users
deleteUser(req.params.id)
res.status(204).end()
})Related Entries
More from this reference:
400 400 Bad Request
The server cannot process the request due to client-side input errors.
401 401 Unauthorized
Authentication is required but was missing or invalid.
404 404 Not Found
The requested resource could not be found on the server.
405 405 Method Not Allowed
The HTTP method used is not allowed for this resource.
408 408 Request Timeout
The server timed out waiting for the client to send the complete request.
413 413 Payload Too Large
The request body exceeds the server's maximum allowed size.
422 422 Unprocessable Entity
The request has valid syntax but contains semantic validation errors.
429 429 Too Many Requests
The client has exceeded the rate limit and should slow down.
Frequently Asked Questions
Should I reveal why access was denied?
For security reasons, avoid revealing specific reasons for 403 responses. A generic 'Forbidden' message prevents attackers from learning about your permission structure. Log the specific reason server-side for debugging.
Can a 403 be triggered by file permissions?
Yes. On web servers, if a file exists but the web server process does not have read permissions, or if directory listing is disabled and no index.html exists, the server may return 403 instead of 404.