403

HTTP 403 Forbidden

4xx Client Error

4xx Client Error RFC 7231, Section 6.5.3

What is HTTP 403 Forbidden?

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. Unlike 401, the client's identity is known to the server, but the client does not have the necessary permissions. The server may include an explanation in the response body, but often returns a generic message for security reasons.

Common Use Cases

  • Accessing a resource without sufficient permissions
  • IP address blacklisting
  • Directory listing disabled
  • CSRF token validation failure

Usage Example

When a non-admin user tries to access the admin dashboard, return 403 Forbidden. The user is authenticated (their session is valid) but does not have the admin role required. Include a message explaining what permission level is needed so developers understand how to resolve the issue.

// Laravel - authorization gate returning 403
if ($request->user()->cannot('view-admin')) {
    abort(403, 'Admin access required.');
}

// Using policies
abort_if($user->cannot('update', $post), 403);

Common Mistakes

⚠️

Mistake: Returning 403 when the client is not authenticated at all

Fix: If the client has not provided any credentials, return 401 Unauthorized instead of 403. Use 403 only when the client is authenticated but lacks the required permissions.

⚠️

Mistake: Returning 404 instead of 403 to "hide" resource existence

Fix: Some APIs return 404 instead of 403 to avoid revealing that a resource exists. While this is a valid security practice in some cases, it makes debugging harder for legitimate API consumers. Consider your threat model carefully.

⚠️

Mistake: Revealing too much information in 403 error messages

Fix: Be careful not to expose internal details in 403 responses. A generic "Forbidden" may be safer than "You need role X to access this" as it does not reveal the permission structure.

Last updated: 21 Jun 2026