December 04, 2018

403 Forbidden

403 Forbidden should be used when a client is trying to do a request it’s not allowed to do for a variety of reasons. Maybe the user doesn’t have the right permissions, or maybe it’s logged in with the wrong credentials.

It’s a good generic status code for anything that’s “not allowed” for a variety of reasons, and is extremely common.

Example

HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 32

<h1>403: You can't do that!</h1>

However, there are a few HTTP status codes for more specific situations.

Use 401 Unauthorized if the user can’t do an operations because they haven’t logged in yet.
Use 405 Method Not Allowed if the user has access to the resource, but the specific operation they’re trying to do is not allowed. For example, calling PUT on a read-only resource.

There are a few others, and they’ll be covered on this blog in the future.

References

RFC7231, Section 6.5.3 - 403 Fobidden

HTTP series

This article is part of a series about the HTTP protocol. Read them all here:

Series of posts on HTTP status codes (2018-06-27)

Informational 1xx

100 Continue (2018-06-27)
101 Switching Protocols (2018-06-28)
102 Processing (2018-06-29)
103 Early Hints (2018-06-30)

Successful 2xx

200 OK (2018-07-03)
201 Created (2018-07-10)
202 Accepted (2018-07-17)
203 Non-Authoritative Information (2018-07-24)
204 No Content (2018-07-31)
205 Reset Content (2018-08-07)
206 Partial Content (2018-08-14)
207 Multi-Status (2018-08-21)
208 Already Reported (2018-08-28)
226 IM Used (2018-09-04)

Redirection 3xx

300 Multiple Choices (2018-09-11)
301 Moved Permanently (2018-09-18)
302 Found (2018-09-25)
303 See Other (2018-10-02)
304 Not Modified (2018-10-09)
305 Use Proxy (2018-10-16)
306 Switch Proxy (2018-10-23)
307 Temporary Redirect (2018-10-30)
308 Permanent Redirect (2018-11-06)
Which redirect do I choose? (2018-11-07)

Client Error 4xx

400 Bad Request (2018-11-13)
401 Unauthorized (2018-11-20)
402 Payment Required (2018-11-27)
403 Forbidden (2018-12-04)
404 Not Found (2018-12-11)
405 Method Not Allowed (2018-12-18)
406 Not Acceptable (2019-01-08)
407 Proxy Authentication Required (2019-01-15)
408 Request Timeout (2019-01-22)
409 Conflict (2019-01-29)
410 Gone (2019-02-05)
411 Length Required (2019-02-12)
412 Precondition Failed (2019-02-19)
413 Payload Too Large (2019-02-26)
414 URI Too Long (2019-03-05)
415 Unsupported Media Type (2019-03-12)
416 Range Not Satisfiable (2019-03-19)
417 Expectation Failed (2019-03-26)
418 I'm a teapot (2019-04-02)
420 Enhance your calm (2019-04-09)
421 Misdirected Request (2019-04-16)
422 Unprocessable Entity (2019-04-23)
423 Locked (2019-04-30)
424 Failed Dependency (2019-05-07)
425 Too Early (2019-05-14)
426 Upgrade Required (2019-05-21)
428 Precondition Required (2019-05-28)
429 Too Many Requests (2019-06-04)
430 Would Block (2019-06-11)
431 Request Header Fields Too Large (2019-06-18)
451 Unavailable For Legal Reasons (2019-06-25)

Server Error 5xx

500 Internal Server Error (2019-07-02)
501 Not Implemented (2019-07-09)
502 Bad Gateway (2019-07-16)
503 Service Unavailable (2019-07-23)
504 Gateway Timeout (2019-07-30)
505 HTTP Version Not Supported (2019-08-06)
506 Variant Also Negotiates (2019-08-13)
507 Insufficient Storage (2019-08-20)
508 Loop Detected (2019-08-30)
510 Not Extended (2019-09-05)
511 Network Authentication Required (2019-09-10)
The end of the HTTP series (2019-09-18)

Web mentions