← Back to status codes
HTTP Status Code
403 Forbidden
Client ErrorThe server understood the request but refuses to authorize it.
HTTP status code reference, response example, common causes, fixes, and related status codes.
What does HTTP 403 Forbidden mean?
HTTP 403 Forbidden is a status code sent by a server to indicate the result of an HTTP request.
Status codes help browsers, APIs, apps, and backend systems understand whether a request succeeded, failed, was redirected, or needs additional action.
In practice, HTTP 403 Forbidden usually appears when a server responds under specific request, validation, permission, or infrastructure conditions.
Response example
HTTP/1.1 403 Forbidden
HTTP example
HTTP/1.1 403 Forbidden
Common causes
- Insufficient permissions
- Blocked IP or account
- Authenticated user lacks required access
How to fix it
- Check user roles and permissions
- Verify access rules on the server
- Do not retry blindly if the user lacks permission
Common mistakes
- Assuming the status code alone explains the full backend issue
- Ignoring related response headers that add important context
- Treating temporary errors as permanent failures
- Retrying too aggressively without checking the cause
- Debugging the frontend only when the problem is server-side
How browsers and APIs use it
Browsers, APIs, and backend services use HTTP status codes to understand the outcome of a request. Depending on the status code, an application may render content, retry a request, redirect the user, show an error, or trigger a different flow in the client or server.
Developer note
HTTP 403 is about authorization, not authentication. The client may be logged in correctly but still not allowed to access the resource.
Client-side example
if (response.status === 403) {
console.log("Access denied");
}