403 Forbidden should be used when a client is trying to do a request
it’s not allowed to do for a variety of reasons. Maybe the user doesn’t have
the right permissions, or maybe it’s logged in with the wrong credentials.
It’s a good generic status code for anything that’s “not allowed” for a variety of reasons, and is extremely common.
HTTP/1.1 403 Forbidden Content-Type: text/html Content-Length: 32 <h1>403: You can't do that!</h1>
However, there are a few HTTP status codes for more specific situations.
- Use 401 Unauthorized if the user can’t do an operations because they haven’t logged in yet.
- Use 405 Method Not Allowed if the user has access to the resource, but
the specific operation they’re trying to do is not allowed. For example,
PUTon a read-only resource.
There are a few others, and they’ll be covered on this blog in the future.
- RFC7231, Section 6.5.3 - 403 Fobidden