HTTP 403 Forbidden
What a 403 Forbidden response means, why it happens, and the fastest ways to fix it.
The server understood the request and refuses it: you are authenticated (or identity doesn't matter) but not allowed. Retrying with the same credentials won't help.
- Insufficient role/permissions for the resource.
- IP allowlists, geo-blocking, WAF rules.
- Filesystem permissions on static servers (see chmod).
- Verify the account's role/scopes for that exact resource.
- On static hosting, check file permissions and index settings.
- If a WAF is involved, inspect which rule fires — often a false positive on request bodies.
Notes
HTTP status codes are defined in RFC 9110 (which replaced RFC 7231). The first digit is the class: 1xx informational, 2xx success, 3xx redirection, 4xx client error, 5xx server error.
Same class: 400 · 401 · 404 · 405 · 408 · 409 · 410 · 412 · 413 · 415 · 418 · 422 · 425 · 429 · 431 · 451
All codes: HTTP status code reference
Frequently asked questions
What does HTTP 403 mean?
HTTP 403 Forbidden: The server understood the request and refuses it: you are authenticated (or identity doesn't matter) but not allowed. Retrying with the same credentials won't help.
How do I fix a 403 error?
Verify the account's role/scopes for that exact resource. On static hosting, check file permissions and index settings. If a WAF is involved, inspect which rule fires — often a false positive on request bodies.
Is a 403 my fault or the server's?
403 is a client error — the request itself needs to change, though server misconfiguration can also trigger it.