403 Forbidden

In This Article

Status
Example response
Specifications
Browser compatibility
See also

The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic (like an incorrect password).

Status

403 Forbidden

Example response

HTTP/1.1 403 Forbidden 
Date: Wed, 21 Oct 2015 07:28:00 GMT

Specifications

Specification	Title
RFC 7231, section 6.5.3: 403 Forbidden	HTTP/1.1: Semantics and Content

Browser compatibility

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

Desktop
Mobile

Feature	Chrome	Firefox	Edge	Internet Explorer	Opera	Safari
Basic Support	(Yes)	(Yes)	(Yes)	(Yes)	(Yes)	(Yes)

Feature	Android	Chrome for Android	Edge mobile	Firefox for Android	IE mobile	Opera Android	iOS Safari
Basic Support	(Yes)	(Yes)	(Yes)	(Yes)	(Yes)	(Yes)	(Yes)

Document Tags and Contributors

Tags:

Client error
HTTP
Reference
Status code

Contributors to this page: fscholz, teoli

Last updated by: fscholz, Jun 7, 2017, 10:01:36 AM

See also

HTTP
Guides:
Resources and URIs
1. Identifying resources on the Web
2. Data URIs
3. Introduction to MIME Types
4. Complete list of MIME Types
5. Choosing between www and non-www URLs
Basics of HTTP
1. Overview of HTTP
2. Evolution of HTTP
3. HTTP Messages
4. A typical HTTP session
5. Connection management in HTTP/1.x
HTTP security
1. Content Security Policy (CSP)
2. HTTP Public Key Pinning (HPKP)
3. HTTP Strict Transport Security (HSTS)
4. Cookie security
5. X-Content-Type-Options
6. X-Frame-Options
7. X-XSS-Protection
8. Mozilla web security guidelines
9. Mozilla Observatory
HTTP access control (CORS)
HTTP authentication
HTTP caching
HTTP compression
HTTP conditional requests
HTTP content negotiation
HTTP cookies
HTTP range requests
HTTP redirects
HTTP specifications
References:
HTTP headers
1. Accept
2. Accept-Charset
3. Accept-Encoding
4. Accept-Language
5. Accept-Ranges
6. Access-Control-Allow-Credentials
7. Access-Control-Allow-Headers
8. Access-Control-Allow-Methods
9. Access-Control-Allow-Origin
10. Access-Control-Expose-Headers
11. Access-Control-Max-Age
12. Access-Control-Request-Headers
13. Access-Control-Request-Method
14. Age
15. Allow
16. Authorization
17. Cache-Control
18. Connection
19. Content-Disposition
20. Content-Encoding
21. Content-Language
22. Content-Length
23. Content-Location
24. Content-Range
25. Content-Security-Policy
26. Content-Security-Policy-Report-Only
27. Content-Type
28. Cookie
29. Cookie2
30. DNT
31. Date
32. ETag
33. Expect
34. Expires
35. Forwarded
36. From
37. Host
38. If-Match
39. If-Modified-Since
40. If-None-Match
41. If-Range
42. If-Unmodified-Since
43. Keep-Alive
44. Large-Allocation
45. Last-Modified
46. Location
47. Origin
48. Pragma
49. Proxy-Authenticate
50. Proxy-Authorization
51. Public-Key-Pins
52. Public-Key-Pins-Report-Only
53. Range
54. Referer
55. Referrer-Policy
56. Retry-After
57. Server
58. Set-Cookie
59. Set-Cookie2
60. SourceMap
61. Strict-Transport-Security
62. TE
63. Tk
64. Trailer
65. Transfer-Encoding
66. Upgrade-Insecure-Requests
67. User-Agent
68. Vary
69. Via
70. WWW-Authenticate
71. Warning
72. X-Content-Type-Options
73. X-DNS-Prefetch-Control
74. X-Forwarded-For
75. X-Forwarded-Host
76. X-Forwarded-Proto
77. X-Frame-Options
78. X-XSS-Protection
HTTP request methods
1. CONNECT
2. DELETE
3. GET
4. HEAD
5. OPTIONS
6. PATCH
7. POST
8. PUT
HTTP response status codes
1. 100 Continue
2. 101 Switching Protocol
3. 200 OK
4. 201 Created
5. 202 Accepted
6. 203 Non-Authoritative Information
7. 204 No Content
8. 205 Reset Content
9. 206 Partial Content
10. 300 Multiple Choices
11. 301 Moved Permanently
12. 302 Found
13. 303 See Other
14. 304 Not Modified
15. 307 Temporary Redirect
16. 308 Permanent Redirect
17. 400 Bad Request
18. 401 Unauthorized
19. 403 Forbidden
20. 404 Not Found
21. 405 Method Not Allowed
22. 406 Not Acceptable
23. 407 Proxy Authentication Required
24. 408 Request Timeout
25. 409 Conflict
26. 410 Gone
27. 411 Length Required
28. 412 Precondition Failed
29. 413 Payload Too Large
30. 414 URI Too Long
31. 415 Unsupported Media Type
32. 416 Range Not Satisfiable
33. 417 Expectation Failed
34. 426 Upgrade Required
35. 428 Precondition Required
36. 429 Too Many Requests
37. 431 Request Header Fields Too Large
38. 451 Unavailable For Legal Reasons
39. 500 Internal Server Error
40. 501 Not Implemented
41. 502 Bad Gateway
42. 503 Service Unavailable
43. 504 Gateway Timeout
44. 505 HTTP Version Not Supported
45. 511 Network Authentication Required
CSP directives
1. CSP: base-uri
2. CSP: block-all-mixed-content
3. CSP: child-src
4. CSP: connect-src
5. CSP: default-src
6. CSP: font-src
7. CSP: form-action
8. CSP: frame-ancestors
9. CSP: frame-src
10. CSP: img-src
11. CSP: manifest-src
12. CSP: media-src
13. CSP: object-src
14. CSP: plugin-types
15. CSP: referrer
16. CSP: report-uri
17. CSP: require-sri-for
18. CSP: sandbox
19. CSP: script-src
20. CSP: style-src
21. CSP: upgrade-insecure-requests
22. CSP: worker-src

Learn the best of web development

Get the latest and greatest from MDN delivered straight to your inbox.

E-mail

I'm okay with Mozilla handling my info as explained in this Privacy Policy.

Thanks! Please check your inbox to confirm your subscription.

If you haven’t previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an email from us.