Forbidden
4xx Client Error
Last updated:
The server understood the request and the client is authenticated, but access is refused.
Description
Authorization failure. The client is authenticated, but does not have permission for this specific resource or action. Repeating the request will not help.
When to use
Return 403 when a valid user tries to access a resource they don't own or perform an action their role doesn't allow.
Common pitfalls
Some APIs return 404 instead of 403 to hide the existence of protected resources — an intentional trade-off for security.
Specification
RFC 9110 §15.5.4
Examples
HTTP response
HTTP/1.1 403 Forbidden
Content-Type: application/json
{"error":"Forbidden"}Node.js (Express)
res.status(403).json({ error: "Forbidden" });Go (net/http)
w.WriteHeader(http.StatusForbidden)
Python (Flask)
return jsonify({"error": "Forbidden"}), 403Related status codes
All 4xx codes
400 Bad Request401 Unauthorized403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable408 Request Timeout409 Conflict410 Gone411 Length Required412 Precondition Failed413 Payload Too Large414 URI Too Long415 Unsupported Media Type418 I'm a teapot422 Unprocessable Entity425 Too Early428 Precondition Required429 Too Many Requests431 Request Header Fields Too Large451 Unavailable For Legal Reasons