403 Forbidden
Example HTTP Response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error": "Access denied"}- Insufficient permissions
- IP blocked
- Resource restricted to certain users
What does this mean?
VIP only! You might know who you are, but you're not on the guest list for this party.
Technical Definition
The client does not have access rights to the content.
RFC Says
"The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload."
Plain English:
The server understood your request and knows who you are, but you don't have permission to access this resource. Unlike 401, authentication won't help - you're simply not allowed.
Common Misinterpretation
403 vs 401 confusion is extremely common. Use 401 when the user needs to log in or provide credentials. Use 403 when the user IS logged in but lacks the necessary permissions (wrong role, subscription tier, etc.). Think: 401 = 'Who are you?' and 403 = 'I know who you are, but you can't do this.'
Ready-to-use code for returning this HTTP status in your application:
// Express.js
app.get('/example', (req, res) => {
res.status(403).json({
error: 'Forbidden',
message: 'Your error message here'
});
});
// Native HTTP
const http = require('http');
http.createServer((req, res) => {
res.writeHead(403, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({
error: 'Forbidden',
message: 'Your error message here'
}));
}).listen(3000);- User is authenticated but lacks required permissions
- Resource is restricted regardless of authentication
- IP address or region is blocked
- Use 401 when user is NOT authenticated at all
Indexing
Pages returning 403 are not indexed. Google interprets this as 'access denied' and excludes the URL from search results.
Crawler Behavior
Crawlers note the forbidden status. If robots.txt blocks crawling, that's different from 403 on the page itself.
Canonical URL Notes
Avoid 403 on URLs you want indexed. If content should be public for SEO but restricted for some users, reconsider your access control.
Google Notes
Google treats 403 as a soft error. The URL won't be indexed, but it's not as final as 404 or 410.
Understanding HTTP 403 Forbidden: Authorization, the 401 vs 403 Trap, and When to Hide a Resource Entirely
What 403 Forbidden really means (authorization, not authentication), why logging in won't fix it, how it differs from 401, 404, and 407, and how to return and handle it correctly across Express, Next.js, NGINX, and Apache.
11 min readUnderstanding HTTP 401 Unauthorized: Authentication, WWW-Authenticate, and the 401 vs 403 Trap
What 401 Unauthorized really means (authentication, not authorization), why the WWW-Authenticate header is mandatory, when to use 401 vs 403 vs 407, and how to return and handle it correctly.
9 min read
403 Forbidden FAQ
What causes a 403 Forbidden error?
Insufficient permissions. IP blocked. Resource restricted to certain users.
When should I use 403 Forbidden?
User is authenticated but lacks required permissions. Resource is restricted regardless of authentication. IP address or region is blocked. Use 401 when user is NOT authenticated at all.