HTTP 403
HTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it was correct.
Specifications
HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.[a]
Error 403: "The server understood the request, but is refusing to authorize it." (RFC 7231)[1]
Error 401: "The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials." (RFC 2616)[2]
The
Causes
A 403 status code can occur for the following reasons:[4]
- Insufficient permissions: The most common reason for a 403 status code is that the user lacks the necessary permissions to access the requested resource. This can mean that the user is not logged in, has not provided valid credentials, or does not belong to the appropriate user group to access the resource.
- Authentication required: In some cases, the server requires authentication to access certain resources. If the user does not provide valid credentials or if the authentication fails, a 403 status code is returned.
- IP restrictions: The server may also restrict access to specific IP addresses or IP ranges. If the user's IP address is not included in the list of permitted addresses, a 403 status code is returned.
- Server configuration: The server's configuration can be set to prohibit access to certain files, directories, or areas of the website. This can be due to a misconfiguration or intentional restrictions imposed by the server administrator.
- Blocked by firewall or security software: A 403 status code can occur if a firewall or security software blocks access to the resource. This may happen due to security policies, malware detection, or other security measures.
Examples
Client request:[5]
GET /securedpage.php HTTP/1.1
Host: www.example.org
Server response:[5]
HTTP/1.1 403 Forbidden
Content-Type: text/html
<html>
<head><title>403 Forbidden</title></head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access /securedpage.php on this server.</p>
</body>
</html>
Substatus error codes for IIS
The following nonstandard codes are returned by Microsoft's
- 1 – Execute access forbidden
- 403.2 – Read access forbidden
- 403.3 – Write access forbidden
- 403.4 – SSL required
- 403.5 – SSL 128 required
- 403.6 – IP address rejected
- 403.7 – Client certificate required
- 403.8 – Site access denied
- 403.9 – Too many users
- 403.10 – Invalid configuration
- 403.11 – Password change
- 403.12 – Mapper denied access
- 403.13 – Client certificate revoked
- 403.14 – Directory listing denied
- 403.15 – Client Access Licenses exceeded
- 403.16 – Client certificate is untrusted or invalid
- 403.17 – Client certificate has expired or is not yet valid
- 403.18 – Cannot execute request from that application pool
- 403.19 – Cannot execute CGIs for the client in this application pool
- 403.20 – Passport logon failed
- 403.21 – Source access denied
- 403.22 – Infinite depth is denied
- 403.502 – Too many requests from the same client IP; Dynamic IP Restriction limit reached
- 403.50 – Rejected due to IP address restriction
See also
Notes
- ^ See #Substatus error codes for IIS for possible reasons of why a webserver may refuse to fulfill a request.
References
- ^ Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. .
- doi:10.17487/RFC2616. Retrieved 2018-04-09.
- ^ IETF. June 2007. Archived from the originalon March 3, 2016. Retrieved January 12, 2016.
- ^ HTTP status code 403 How do I solve the problem with the 403 status code?
- ^ a b Example of "Client request" and "Server response" for HTTP status code 403
- ^ HaiyingYu (2023-02-23). "HTTP status code overview - Internet Information Services". learn.microsoft.com. Retrieved 2024-05-19.