|Response status codes|
|Security access control methods|
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it.
HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.[a]
Error 403: "The server understood the request, but is refusing to authorize it." (RFC 7231)
Error 401: "The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials." (RFC 2616)
The Apache web server returns 403 Forbidden in response to requests for URL paths that corresponded to file system directories when directory listings have been disabled in the server and there is no Directory Index directive to specify an existing file to be returned to the browser. Some administrators configure the Mod proxy extension to Apache to block such requests and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory listings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header or issued a Depth header of infinity.
The HTTP status code 403 is used by the server to indicate that access to the requested resource is forbidden. This status code is triggered for various reasons and signifies that while the server understood the request, it refuses to grant access.
A 403 status code can occur for the following reasons:
GET /securedpage.php HTTP/1.1 Host: www.example.org
HTTP/1.1 403 Forbidden Content-Type: text/html <html> <head><title>403 Forbidden</title></head> <body> <h1>Forbidden</h1> <p>You don't have permission to access /securedpage.php on this server.</p> </body> </html>
The following nonstandard codes are returned by Microsoft's Internet Information Services, and are not officially recognized by IANA.
((cite journal)): Cite journal requires