HTTP 4xx status code
403 Forbidden
403 Forbidden means the server understood exactly what you asked for and has decided you may not have it. Unlike a 404, the resource exists. Unlike a 401, the answer is not “log in first.” The server is simply refusing access, and it is under no obligation to say why.
The distinction from 401 Unauthorized is the part that trips people up. A 401 is about authentication, proving who you are, and supplying valid credentials can clear it. A 403 is about authorisation, whether you are allowed, and it often stands even when you are logged in. If the account you are using does not have permission, or the server has decided your request is not permitted, no amount of signing in will change the answer.
For site owners, a 403 usually points at one of a few things. File or directory permissions may be set too tightly, so the web server itself cannot read what it is meant to serve. An access rule, a firewall, or a security tool may be blocking a particular visitor or IP address. Or the application’s own permission checks may be stricter than intended. The fix depends on which of these is refusing the request, so the server’s configuration and logs are the place to look.
Frequently asked
What does 403 Forbidden mean?
It means the server understood the request but refuses to authorise it. You are not allowed to access this resource, and the server is choosing not to explain further. It is a refusal, not a request for you to log in.
What is the difference between 401 and 403?
401 Unauthorized means you are not authenticated, so logging in may fix it. 403 Forbidden means the server knows who you are, or does not care, and still will not allow access. With a 403, credentials usually will not help.
How do I fix a 403 error?
As a visitor, check you are logged in with an account that has permission, or that the URL is correct. As a site owner, common causes are wrong file permissions, a blocked IP address, or access rules that are stricter than intended.