403 Forbidden
The 403 (Forbidden) HTTP status code indicates the server refuses to authorize the request. The requested operation is likely not possible, and there is no option to gain authorization.
By contrast, 401 (Unauthorized) provides a WWW-Authenticate header so that the user may authenticate and gain authorization.
Writing responses (servers)
Use 403 (Forbidden)
when the request is not possible to fill, or if access is temporarially restricted. Use cases seem to be limited. If the particular method is not permitted on the resource, then 405 (Method Not Allowed) is more descriptive. For example, if modifying the resource is not permitted, then a PUT request should return 405 Method Not Allowed
instead.
Reading responses (clients)
403 (Forbidden) errors cannot be retried; the user will have to seek other means to accomplish their task.
Overview table
- Name
- 403
- Message
- 403 Forbidden
- Description
- The server refuses to authorize the request.
- Specification
- RFC 7231: HTTP Semantics and Content ยง6.5.3. 403 Forbidden