Example HTTP Response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error": "Access denied"}- Insufficient permissions
- IP blocked
- Resource restricted to certain users
What does this mean?
VIP only! You might know who you are, but you're not on the guest list for this party.
Technical Definition
The client does not have access rights to the content.
RFC Says
"The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload."
Plain English:
The server understood your request and knows who you are, but you don't have permission to access this resource. Unlike 401, authentication won't help - you're simply not allowed.
Common Misinterpretation
403 vs 401 confusion is extremely common. Use 401 when the user needs to log in or provide credentials. Use 403 when the user IS logged in but lacks the necessary permissions (wrong role, subscription tier, etc.). Think: 401 = 'Who are you?' and 403 = 'I know who you are, but you can't do this.'
Ready-to-use code for returning this HTTP status in your application:
// Express.js
app.get('/example', (req, res) => {
res.status(403).json({
error: 'Forbidden',
message: 'Your error message here'
});
});
// Native HTTP
const http = require('http');
http.createServer((req, res) => {
res.writeHead(403, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({
error: 'Forbidden',
message: 'Your error message here'
}));
}).listen(3000);- User is authenticated but lacks required permissions
- Resource is restricted regardless of authentication
- IP address or region is blocked
- Use 401 when user is NOT authenticated at all