/ HTTP Status Codes

403 Forbidden

The 403 Forbidden status code is one of the HTTP status codes that a server may use to inform a client that it does not have the necessary permissions to access the requested resource.

When is the 403 Forbidden Status Code Used?

The 403 Forbidden status code is used by a server when a client requests a resource that it is not allowed to access. This is different from the 401 Unauthorized status code, which indicates that the client needs to provide authentication credentials to access the requested resource. The 403 Forbidden status code implies that the server has understood the request, but it is refusing to fulfill it due to insufficient permissions.

There are several reasons why a server may return a 403 Forbidden status code, such as:

  • The client does not have the necessary privileges to access the requested resource.
  • The server is configured to deny access to the requested resource for security reasons.
  • The server is unable to verify the client’s identity, even after the client has provided valid authentication credentials.

Example Request and Response

Here’s an example of an HTTP request that may result in a 403 Forbidden status code:

GET /restricted-resource HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3

In this example, the client is attempting to access a resource called /restricted-resource on the example.com server. If the server determines that the client does not have the necessary permissions to access this resource, it may return a 403 Forbidden status code in the response:

HTTP/1.1 403 Forbidden
Date: Tue, 15 Jun 2022 10:30:00 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 321
Content-Type: text/html; charset=iso-8859-1

<title>403 Forbidden</title>
<p>You don't have permission to access /restricted-resource
on this server.</p>
<address>Apache/2.4.7 (Ubuntu) Server at example.com Port 80</address>

In this example response, the server has returned a 403 Forbidden status code to inform the client that it does not have permission to access the requested resource.

Handling 403 Forbidden Status Code in a Client Application

When your client application receives a 403 Forbidden status code, it should handle the situation gracefully. Some possible ways to handle this status code include:

  1. Inform the user that they do not have permission to access the requested resource, and provide instructions on how to obtain the necessary permissions, if applicable.
  2. If the client application supports multiple user accounts, prompt the user to log in with a different account that may have the necessary permissions to access the requested resource.
  3. If the client application has a cache of the requested resource, display the cached version of the resource to the user, along with a message indicating that the live version of the resource could not be accessed due to insufficient permissions.


By understanding the 403 Forbidden status code and handling it appropriately in your client applications, you can provide a better user experience and ensure that your applications function correctly in the face of restricted resources.

Was this helpful?

Thanks for your feedback!