< HTTP />
fr

403 Forbidden

4xx Client Error RFC 9110
We know who you are. The answer is still no.

What 403 Forbidden means {#what}

The server knows the client’s identity (authenticated or not) and has decided they don’t have permission to access this resource. Unlike 401, sending credentials won’t help — the problem is authorization, not authentication.

When you’ll see a 403 {#when}

  • Trying to access an admin endpoint as a regular user
  • Accessing a resource that belongs to another user
  • IP blocklist, geographic restriction, or WAF block

When to use 403 {#use}

  • Use when the user is known but doesn’t have the right permissions
  • You can use 404 instead to hide the existence of a resource from unauthorized users (security through obscurity)

Don't confuse 403

401 use that when authentication is missing or failed 404 sometimes used intentionally instead of 403 to not reveal a resource exists