HTTP status code

The HTTP 403 status code stands for "Forbidden". It is a client error response indicating that the server understands the request but refuses to authorize it, even if the client provides valid authentication.

When is HTTP 403 Used?

• When the client is authenticated but does not have permission to access the resource.
• When access is restricted based on IP addresses or user roles.
• When content or actions are forbidden regardless of authentication status.

Difference Between HTTP 401 and HTTP 403

• 401 Unauthorized: Missing or invalid authentication credentials.
• 403 Forbidden: Authentication may be valid, but the user is not permitted to access the resource.

Example Scenarios

• Role-Based Access Control – A regular user tries to access an admin dashboard.
• IP Whitelisting – A client attempts to access a resource from a non-whitelisted IP address.
• Access Restrictions – A user tries to access a blocked or restricted page.

Example

Client Request (Authenticated User Accessing a Restricted Resource)

    
        GET /admin/dashboard HTTP/1.1
        Host: example.com
        Authorization: Bearer valid_token
    

Server Response (403 Forbidden - Insufficient Permissions)

    
        HTTP/1.1 403 Forbidden
        Content-Type: application/json

        { "error": "Access denied. Administrator permissions required." }
    

Summary

HTTP 403 means the server understands the request but refuses to fulfill it due to insufficient permissions or access restrictions. It is commonly seen in role-based access systems, IP-restricted resources, and content control policies.