What Is HTTP 403 Forbidden?

HTTP 403 Forbidden means the server understood the request and the page exists — but access is denied. Unlike a 404 where the page simply does not exist, a 403 means the server knows exactly what is being requested and is actively refusing to serve it.

The distinction matters: a 404 says "there is nothing here", a 403 says "there is something here, but you are not allowed to see it."

What causes a 403 error?

A 403 can have several different causes depending on the context.

• File or directory permissions. On Linux-based web servers, every file and directory has permission settings that control who can read, write, or execute it. If the web server process does not have read permission for a file, it returns a 403. This is one of the most common causes of unexpected 403 errors on self-hosted websites.

• No index file in a directory. If a URL points to a directory rather than a specific file, the web server looks for a default index file — typically index.html or index.php. If no index file exists and directory listing is disabled, the server returns a 403 rather than showing the directory contents. This is the correct behavior from a security perspective — exposing directory listings is generally undesirable.

• Access control rules. Web servers can be configured to block access to certain URLs or directories entirely. On Apache this is done via .htaccess rules or the virtual host configuration, on nginx via location blocks. A misconfigured rule can accidentally block access to pages that should be public.

• IP blocking. Some servers block requests from specific IP addresses or ranges. If the server has blocked the IP address of the visitor — or the IP address of a crawler — it may return a 403.

• Authentication required. Some servers return a 403 instead of a 401 when authentication is required. Technically a 401 is the more correct code for "you need to log in", but 403 is sometimes used instead, particularly when the server wants to acknowledge that the resource exists without inviting authentication attempts.

• Hotlink protection. Some servers block requests for images or files when the request comes from a different domain — a technique called hotlink protection. If your website links to an image on another server that has hotlink protection enabled, the image request may return a 403.

403 on internal vs external URLs

How you respond to a 403 depends on where it appears.

For an internal URL — a page on your own website — a 403 may be intentional or a mistake. A protected admin area, a members-only section, or a file that should not be publicly accessible returning a 403 is working as intended. A page that should be publicly accessible returning a 403 is a problem that needs investigating. Check your file permissions, your server configuration, and any access control rules that might be affecting the URL.

For an external URL — a page on someone else's website that you link to — a 403 usually means the external page restricts public access. If you are linking to a resource that was previously public and now returns a 403, it is worth removing or replacing the link. Your visitors cannot access it, so the link serves no purpose.

403 vs 401

The difference between 403 and 401 is subtle but important.

HTTP 401 Unauthorized means authentication is required. The server is telling the client to provide credentials — a username and password, a token, or another form of authentication. If the correct credentials are provided, access may be granted.

HTTP 403 Forbidden means access is denied regardless of authentication. Even if the client provides credentials, the server will not serve the resource. The decision is final.

In practice, some servers use these codes inconsistently — returning a 403 when a 401 would be more appropriate, or vice versa. But understanding the intended distinction helps when diagnosing why a page is inaccessible.

How to fix a 403 error

The fix depends on the cause.

• For a file permission issue, check the permissions on the affected file or directory. On a Linux server, web server processes typically run as www-data or a similar user. Files should generally be readable by that user. A common correct permission for web files is 644 for files and 755 for directories.

• For a missing index file, either add an index file to the directory or configure the server to redirect directory requests to a specific page.

• For an access control rule that is blocking legitimate requests, review your .htaccess file on Apache or your location blocks on nginx and identify the rule causing the block.

• For IP blocking, check whether your server has any IP-based access control rules that might be affecting legitimate visitors.

403 errors in scan results

When dislike404.com reports a 403 on an internal URL, it does not necessarily mean something is broken — it may be intentional. Review the URL to determine whether the restriction is deliberate. If the page should be publicly accessible, investigate your server configuration. If the restriction is intentional, you can add the URL pattern to your blacklist to prevent it from appearing in future scan results.