403 Forbidden

403
Forbidden
!
?

Example HTTP Response

HTTP Response
HTTP/1.1 403 Forbidden
Content-Type: application/json

{"error": "Access denied"}
Common Causes
  • Insufficient permissions
  • IP blocked
  • Resource restricted to certain users
Technical Details

What does this mean?

VIP only! You might know who you are, but you're not on the guest list for this party.

Technical Definition

The client does not have access rights to the content.

RFC Says

"The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload."

Plain English:

The server understood your request and knows who you are, but you don't have permission to access this resource. Unlike 401, authentication won't help - you're simply not allowed.

Common Misinterpretation

403 vs 401 confusion is extremely common. Use 401 when the user needs to log in or provide credentials. Use 403 when the user IS logged in but lacks the necessary permissions (wrong role, subscription tier, etc.). Think: 401 = 'Who are you?' and 403 = 'I know who you are, but you can't do this.'

View RFC Documentation
Code Snippets

Ready-to-use code for returning this HTTP status in your application:

Node.js
// Express.js
app.get('/example', (req, res) => {
  res.status(403).json({
    error: 'Forbidden',
    message: 'Your error message here'
  });
});

// Native HTTP
const http = require('http');

http.createServer((req, res) => {
  res.writeHead(403, { 'Content-Type': 'application/json' });
  res.end(JSON.stringify({
    error: 'Forbidden',
    message: 'Your error message here'
  }));
}).listen(3000);
When to Use This Code
  • User is authenticated but lacks required permissions
  • Resource is restricted regardless of authentication
  • IP address or region is blocked
  • Use 401 when user is NOT authenticated at all
SEO Handling

Indexing

Pages returning 403 are not indexed. Google interprets this as 'access denied' and excludes the URL from search results.

Crawler Behavior

Crawlers note the forbidden status. If robots.txt blocks crawling, that's different from 403 on the page itself.

Canonical URL Notes

Avoid 403 on URLs you want indexed. If content should be public for SEO but restricted for some users, reconsider your access control.

Google Notes

Google treats 403 as a soft error. The URL won't be indexed, but it's not as final as 404 or 410.

Google Search Documentation →
Related Status Codes
🔐401Unauthorized🎫407Proxy Authentication Required
Commonly Confused With
🔐401Unauthorized

403 Forbidden FAQ

What causes a 403 Forbidden error?

Insufficient permissions. IP blocked. Resource restricted to certain users.

When should I use 403 Forbidden?

User is authenticated but lacks required permissions. Resource is restricted regardless of authentication. IP address or region is blocked. Use 401 when user is NOT authenticated at all.