client error RFC 9110

HTTP 403 Forbidden

Server understood who you are but refuses to authorize the request — permission denied.

What it means

The client's identity is known but the operation isn't allowed. This is authorization (RBAC / ACL) failing, as opposed to 401 which is authentication failing. Servers often use 403 also for anti-abuse — WAF rules, geoblocking, rate-limit-adjacent denials — even when authentication technically passed.

When servers send it

  • User authenticated but lacks the role/permission for this action
  • Trying to access another user's resource (`GET /users/123/private` when you're user 456)
  • IP is blocked by WAF, geo-restriction, or Cloudflare rule
  • CORS: origin not in the `Access-Control-Allow-Origin` list

What the client does

Displays a "permission denied" message. Retrying does not help without changing identity.

Common causes

  • Missing role/scope on the authenticated user
  • Cloudflare Firewall / Workers rejected the request
  • S3 bucket policy denies the operation
  • CORS preflight succeeded but the actual request was blocked

How to fix it

  • 1.Verify the user has the required role/scope
  • 2.Check WAF and firewall rules if the block came from Cloudflare/AWS
  • 3.For S3: check the bucket policy and any Object ACLs
  • 4.For CORS: check `Access-Control-Allow-Origin` includes your exact origin (protocol + host + port)

Similar codes

← All HTTP status codes · HTTP status cheat sheet · HTTP headers reference