SiteError.comYour friendly guide to HTTP status codes
Status CodesBlog
  1. Home
  2. 4xx Client Error
  3. 403 Forbidden

403 Forbidden

🚫
403
Forbidden
!
?

Example HTTP Response

HTTP Response
HTTP/1.1 403 Forbidden
Content-Type: application/json

{"error": "Access denied"}
Common Causes
  • Insufficient permissions
  • IP blocked
  • Resource restricted to certain users
Technical Details

What does this mean?

VIP only! You might know who you are, but you're not on the guest list for this party.

Technical Definition

The client does not have access rights to the content.

RFC Says

"The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload."

Plain English:

The server understood your request and knows who you are, but you don't have permission to access this resource. Unlike 401, authentication won't help - you're simply not allowed.

Common Misinterpretation

403 vs 401 confusion is extremely common. Use 401 when the user needs to log in or provide credentials. Use 403 when the user IS logged in but lacks the necessary permissions (wrong role, subscription tier, etc.). Think: 401 = 'Who are you?' and 403 = 'I know who you are, but you can't do this.'

View RFC Documentation
Code Snippets

Ready-to-use code for returning this HTTP status in your application:

Node.js
// Express.js
app.get('/example', (req, res) => {
  res.status(403).json({
    error: 'Forbidden',
    message: 'Your error message here'
  });
});

// Native HTTP
const http = require('http');

http.createServer((req, res) => {
  res.writeHead(403, { 'Content-Type': 'application/json' });
  res.end(JSON.stringify({
    error: 'Forbidden',
    message: 'Your error message here'
  }));
}).listen(3000);
When to Use This Code
  • User is authenticated but lacks required permissions
  • Resource is restricted regardless of authentication
  • IP address or region is blocked
  • Use 401 when user is NOT authenticated at all
SEO Handling

Indexing

Pages returning 403 are not indexed. Google interprets this as 'access denied' and excludes the URL from search results.

Crawler Behavior

Crawlers note the forbidden status. If robots.txt blocks crawling, that's different from 403 on the page itself.

Canonical URL Notes

Avoid 403 on URLs you want indexed. If content should be public for SEO but restricted for some users, reconsider your access control.

Google Notes

Google treats 403 as a soft error. The URL won't be indexed, but it's not as final as 404 or 410.

Google Search Documentation →
From the Blog

  • Understanding HTTP 401 Unauthorized: Authentication, WWW-Authenticate, and the 401 vs 403 Trap

    What 401 Unauthorized really means (authentication, not authorization), why the WWW-Authenticate header is mandatory, when to use 401 vs 403 vs 407, and how to return and handle it correctly.

    9 min read
Related Status Codes
🔐401Unauthorized🎫407Proxy Authentication Required
Commonly Confused With
🔐401Unauthorized

403 Forbidden FAQ

What causes a 403 Forbidden error?

Insufficient permissions. IP blocked. Resource restricted to certain users.

When should I use 403 Forbidden?

User is authenticated but lacks required permissions. Resource is restricted regardless of authentication. IP address or region is blocked. Use 401 when user is NOT authenticated at all.

402 Payment Required404 Not Found

Popular Status Codes

  • 200 OK
  • 301 Moved Permanently
  • 302 Found
  • 400 Bad Request
  • 401 Unauthorized
  • 403 Forbidden
  • 404 Not Found
  • 500 Internal Server Error
  • 502 Bad Gateway
  • 503 Service Unavailable

Compare Codes

  • 401 vs 403
  • 301 vs 302
  • 404 vs 410
  • 500 vs 502
  • Compare any codes →

Categories

  • Informational
  • Success
  • Redirection
  • Client Error
  • Server Error
  • NGINX
  • Cloudflare
  • AWS ELB
  • Microsoft IIS

Tools

  • Cheat Sheet
  • Status Code Quiz
  • URL Checker
  • API Playground
  • Blog

© 2026 SiteError.com. All rights reserved.