403 Forbidden

403 Forbidden should be used when a client is trying to do a request it’s not allowed to do for a variety of reasons. Maybe the user doesn’t have the right permissions, or maybe it’s logged in with the wrong credentials.

It’s a good generic status code for anything that’s “not allowed” for a variety of reasons, and is extremely common.


HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 32

<h1>403: You can't do that!</h1>

However, there are a few HTTP status codes for more specific situations.

  • Use 401 Unauthorized if the user can’t do an operations because they haven’t logged in yet.
  • Use 405 Method Not Allowed if the user has access to the resource, but the specific operation they’re trying to do is not allowed. For example, calling PUT on a read-only resource.

There are a few others, and they’ll be covered on this blog in the future.


HTTP series

This article is part of a series about the HTTP protocol. Read them all here:

Informational 1xx

Successful 2xx

Redirection 3xx

Client Error 4xx

Server Error 5xx

Web mentions