Products

Pricing

Test Library

Solutions

Resources

See docs

Start free

Course 1

Introduction to API
HTTP Methods
Status Codes
GraphQL
API Documentation and Swagger
Security and Best Practices

Links

Discord community
FAQs

Academy

403 Status Code - Forbidden

In this section you will learn about 403 Status Code, what is it, its components and examples.

403 Status Code - Forbidden
403 Status Code - Forbidden
403 Status Code - Forbidden

Luke Stephens

Luke Stephens

Luke Stephens

What is HTTP Status Code 403 - Forbidden?

The HTTP Status Code 403, termed "Forbidden", is a client error response code. It signals that the client's request is understood by the server, but the server refuses to authorize it. Unlike the 401 Unauthorized status, which pertains to authentication, the 403 Forbidden status indicates that the client is authenticated but lacks the permissions to access the requested resource.

403 Forbidden

Understanding 403 Forbidden

  • Permission Denied: The 403 Forbidden status code emphasizes that the client doesn't have the necessary permissions to access the requested content, even if it's authenticated.

HTTP/1.1 403 Forbidden

  • Explicit Denial: This status code is clear-cut in its message— the server has understood the request but is refusing to fulfill it. There's no need to repeat the request without making changes.

Why 403 Forbidden?

The 403 Forbidden status code serves as a protective barrier. It ensures that authenticated users can only access resources they are permitted to, thus preventing unauthorized data manipulation or access.

Characteristics of 403 Forbidden

  • Not an Authentication Issue: While 401 Unauthorized indicates that the client needs to authenticate, 403 Forbidden confirms the client is authenticated but still can't access the resource.

  • Usually Final: A 403 Forbidden response typically means that the client shouldn't try making the same request again. It's a definitive denial of access.

How does 403 Forbidden Work?

  1. Client Sends a Request:

    An authenticated client sends a request to a server resource it doesn't have permissions to access.

DELETE /user-data/123 HTTP/1.1
Host: www.example.com
Authorization: Bearer some_valid_token

  1. Server Responds with 403:

    The server recognizes the client's valid authentication but determines that the client doesn't have the necessary permissions to delete user data. Thus, it responds with a 403 Forbidden.

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "You do not have permission to delete user data."
}

Example of 403 Forbidden

Accessing Restricted Content:

GET /admin-dashboard HTTP/1.1
Host: www.example.com
Authorization: Bearer user_valid_token

Response:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "Access to the admin dashboard is restricted to administrators only."
}

Here, an authenticated user tries to access the admin dashboard, which is reserved for administrators. The server recognizes the user's authentication but denies access, returning a 403 Forbidden with a clear error message.

Conclusion

The 403 Forbidden status code is vital in the web security framework. It ensures that even authenticated users can only interact with resources they have explicit permissions for. By mastering the intricacies of the 403 Forbidden status code, developers and server administrators can effectively protect sensitive endpoints and ensure a robust authorization mechanism.

Next Lesson: 403 Status Code