403 Forbidden

403 Forbidden should be used when a client is trying to do a request it’s not allowed to do for a variety of reasons. Maybe the user doesn’t have the right permissions, or maybe it’s logged in with the wrong credentials.

It’s a good generic status code for anything that’s “not allowed” for a variety of reasons, and is extremely common.


HTTP/1.1 403 Forbidden
Content-Type: text/html
Content-Length: 32

<h1>403: You can't do that!</h1>

However, there are a few HTTP status codes for more specific situations.

  • Use 401 Unauthorized if the user can’t do an operations because they haven’t logged in yet.
  • Use 405 Method Not Allowed if the user has access to the resource, but the specific operation they’re trying to do is not allowed. For example, calling PUT on a read-only resource.

There are a few others, and they’ll be covered on this blog in the future.


HTTP series

This article is part of an ongoing series about the HTTP protocol.

If you want to follow along as I write them, you can Subscribe to my Atom feed or Mailing list.

Informational 1xx

Successful 2xx

Redirection 3xx

Client Error 4xx

Server Error 5xx

Web mentions