All HTTP status codes

HTTP 403 Forbidden

Client Error

The server understood the request and refuses to authorize it. Unlike 401, re-authenticating won't help — the identity is known but lacks permission.

Defined in RFC 9110

Common causes

  • Insufficient role/permissions for the resource
  • IP allow-list, WAF or geo-blocking rules
  • Filesystem permissions on static servers
  • CSRF protection rejecting the request

How to fix it

  1. Verify the account's permissions/role for the resource

  2. Check WAF/firewall and IP restriction logs

  3. On static hosting, fix file ownership/permissions

  4. Include the CSRF token the backend expects

Related status codes

401 Unauthorized

Authentication is required and was missing or invalid. Despite the name, it means "unauthenticated" — the response includes a WWW-Authenticate challenge.

404 Not Found

The server can't find anything at the requested URL. It says nothing about whether the resource ever existed or will exist.

451 Unavailable For Legal Reasons

Access is denied for legal reasons — court orders, government censorship, or geo-specific legal restrictions (the number nods to Fahrenheit 451).

Want to explore status codes interactively? Try the free HTTP Status Code Reference — search, categories and example responses, right in your browser.