What does 403 Forbidden mean?

A 403 Forbidden is an HTTP 4xx response that means the server understood your request but refuses to fulfill it because you don't have permission to access that resource. Unlike a 401, authenticating won't necessarily help — the server is saying 'I know who you are (or it doesn't matter), and you're still not allowed.' Common causes are file permissions, access rules, IP blocks, and firewall/WAF rules.

What is the difference between 401 and 403?

401 Unauthorized means you are not authenticated — log in and you may get access. 403 Forbidden means you are not authorized — even authenticated, you're not allowed this resource. Put simply: 401 is 'who are you?', 403 is 'I know, and no.'

How do I fix a 403 Forbidden error?

As a visitor: double-check the URL, clear cookies and cache, disable a VPN/proxy that might be IP-blocked, or log in if the page requires it. As a developer: check file/folder permissions (755 for folders, 644 for files), review .htaccess or server access rules, confirm an index file exists, check IP allowlists and firewall/WAF rules, and verify your authorization logic isn't denying valid users.

403 Forbidden Error: What It Means & How to Fix It (2026)

403 Forbidden is the server saying: "I understood exactly what you asked for, and I'm refusing." It's a 4xx client error, but it's about permission, not a typo — the resource exists, you're just not allowed in.

403 vs 401: the key distinction

These two get confused constantly:

401 Unauthorized → "Who are you? Authenticate and try again." Logging in may fix it. See 401 Unauthorized.
403 Forbidden → "I know who you are (or don't care), and you still can't have this." Logging in usually won't help.

Common causes

Cause	What's happening
File permissions	Wrong mode/ownership on the file or directory
Access rules	.htaccess or server config denying access
No index file	Directory listing disabled and no index.html
IP block	Your IP/region is on a deny list
WAF / Cloudflare	A security rule flagged the request
Authorization logic	The app checks a role/scope you don't have

How to fix it — as a visitor

Re-check the URL — a wrong path to a protected directory returns 403.
Clear cookies and cache; an expired session can trigger it.
Turn off a VPN/proxy that might be on an IP block.
Log in if the page is behind authentication.

How to fix it — as a developer

Permissions: directories 755, files 644; correct ownership for the web user.
Access rules: review .htaccess / Nginx location blocks for deny directives.
Index file: add one or enable listing if appropriate.
IP & WAF: check allowlists and firewall/WAF logs for false positives.
Authorization: confirm your role/scope checks aren't rejecting valid users — and that they are rejecting invalid ones (a 403 is also your access control working).

When a spike of 403s matters

One 403 is a permissions glitch. A surge of 403s can mean two very different things: a deploy that broke your access rules and is locking out real users, or an attacker probing for resources they shouldn't reach. Either way you want to know fast.

Nurbak Watch tracks status codes per endpoint, so a sudden rise in 403/401 responses alerts you immediately — and Nurbak's scanner checks your app for the broken authorization that causes them. See the API security checklist.

403 Forbidden: What It Means and How to Fix It

403 vs 401: the key distinction

Common causes

How to fix it — as a visitor

How to fix it — as a developer

When a spike of 403s matters

Related HTTP status codes

Fabian Delgado

Ready to try it?

403 vs 401: the key distinction

Common causes

How to fix it — as a visitor

How to fix it — as a developer

When a spike of 403s matters

Related HTTP status codes

Fabian Delgado

Ready to try it?

Read Next

GPTBot: What It Is and How to Allow or Block AI Crawlers

503 Service Unavailable: What It Means and How to Fix It

502 Bad Gateway: What It Means and How to Fix It