HTTP 403 Forbidden

What It Means

The HTTP 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. Unlike 401, authentication won't help — the client simply doesn't have permission to access this resource.

401 vs 403

Common Causes

• Insufficient permissions: User lacks required role (e.g., admin-only resource)
• IP blocklist: Client's IP is blocked
• Geographic restrictions: Content not available in user's region
• File permissions: Web server can't read the file
• Directory listing disabled: Trying to access directory without index file
• Resource ownership: Trying to access another user's private data
• CORS policy: Cross-origin request blocked

Example Response

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "forbidden",
  "message": "You don't have permission to access this resource",
  "required_role": "admin"
}

Server-Side Causes

File permissions (Linux)

# Check file permissions
ls -la /var/www/html/

# Fix permissions for web server
chmod 644 /var/www/html/index.html
chown www-data:www-data /var/www/html/

Nginx directory listing

# Returns 403 if no index file and autoindex off
location /files/ {
    autoindex off;  # Causes 403 on directory access
}

API Authorization Example

// Express.js middleware
function requireAdmin(req, res, next) {
  if (!req.user) {
    return res.status(401).json({ error: 'Authentication required' });
  }
  if (req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Admin access required' });
  }
  next();
}

app.delete('/api/users/:id', requireAdmin, (req, res) => {
  // Only admins reach here
});

Security Considerations

How to Debug

1. Check if you're logged in with the right account
2. Verify user roles/permissions in the database
3. Check server file permissions
4. Look for IP restrictions or WAF rules
5. Check for CORS issues in browser console