A web server may or may not return a 403 Forbidden HTTP 403 in response to a request from a client for a web page or help indicate that the server can be reached and understood the request, but refuses to take any further action. Status code 403 responses are the result of the web server being configured to deny access, for some reason, to the requested resource by the client.
A typical request that may receive a 403 Forbidden response is a GET for a web page, performed by a web browser to retrieve the page for display to a user in a browser window. The web server may return a 403 Forbidden status for other types of requests as well.
The Apache web server returns 403 Forbidden in response to requests for url paths that correspond to filesystem directories, when directory listings have been disabled in the server and there is no Directory Index directive to specify an existing file to be returned to the browser. Some administrators configure the Mod proxy extension to Apache to block such requests, and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory listings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header, or issued a Depth header of infinity.
Difference from status "401 Unauthorized"
Status codes 401 (Unauthorized) and 403 (Forbidden) have distinct meanings.
A 401 response indicates that access to the resource is restricted, and the request did not provide any HTTP authentication. It is possible that a new request for the same resource will succeed if authentication is provided. The response must include an HTTP WWW-Authenticate header to prompt the user-agent to provide credentials. If valid credentials are not provided via HTTP Authorization, then 401 should not be used.
A 403 response generally indicates one of two conditions:
- Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
- The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.
403 substatus error codes for IIS
- 403.1 - Execute access forbidden.
- 403.2 - Read access forbidden.
- 403.3 - Write access forbidden.
- 403.4 - SSL required.
- 403.5 - SSL 128 required.
- 403.6 - IP address rejected.
- 403.7 - Client certificate required.
- 403.8 - Site access denied.
- 403.9 - Too many users.
- 403.10 - Invalid configuration.
- 403.11 - Password change.
- 403.12 - Mapper denied access.
- 403.13 - Client certificate revoked.
- 403.14 - Directory listing denied.
- 403.15 - Client Access Licenses exceeded.
- 403.16 - Client certificate is untrusted or invalid.
- 403.17 - Client certificate has expired or is not yet valid.
- 403.18 - Cannot execute request from that application pool.
- 403.19 - Cannot execute CGIs for the client in this application pool.
- 403.20 - Passport logon failed.
- 403.21 - Source access denied.
- 403.22 - Infinite depth is denied.
- 403.502 - Too many requests from the same client IP; Dynamic IP Restriction limit reached.
- "HTTP Extensions for Web Distributed Authoring jand Versioning (WebDAV)". IETF. June 2007. Retrieved January 11, 2016.
- Fielding, R.; Reschke, J. (June 2014). "401 Unauthorized". Hypertext Transfer Protocol (HTTP/1.1): Authentication. IETF. p. 6. sec. 3.1. RFC 7235. https://tools.ietf.org/html/rfc7235#section-3.1. Retrieved August 24, 2015.
- SELinux: chcon -R -t httpd_sys_content_t /web/
- Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content