client error RFC 9110
HTTP 403 Forbidden
Server understood who you are but refuses to authorize the request — permission denied.
What it means
The client's identity is known but the operation isn't allowed. This is authorization (RBAC / ACL) failing, as opposed to 401 which is authentication failing. Servers often use 403 also for anti-abuse — WAF rules, geoblocking, rate-limit-adjacent denials — even when authentication technically passed.
When servers send it
- •User authenticated but lacks the role/permission for this action
- •Trying to access another user's resource (`GET /users/123/private` when you're user 456)
- •IP is blocked by WAF, geo-restriction, or Cloudflare rule
- •CORS: origin not in the `Access-Control-Allow-Origin` list
What the client does
Displays a "permission denied" message. Retrying does not help without changing identity.
Common causes
- •Missing role/scope on the authenticated user
- •Cloudflare Firewall / Workers rejected the request
- •S3 bucket policy denies the operation
- •CORS preflight succeeded but the actual request was blocked
How to fix it
- 1.Verify the user has the required role/scope
- 2.Check WAF and firewall rules if the block came from Cloudflare/AWS
- 3.For S3: check the bucket policy and any Object ACLs
- 4.For CORS: check `Access-Control-Allow-Origin` includes your exact origin (protocol + host + port)
Similar codes
401 Unauthorized client error
Authentication is required and either missing or invalid — the client is not identified.
404 Not Found client error
The requested URL does not exist on this server.
400 Bad Request client error
Server cannot process the request due to a client-side error — malformed syntax, invalid JSON, missing required fields.
405 Method Not Allowed client error
The URL exists but doesn't support the HTTP method the client used.
408 Request Timeout client error
Client took too long to send the request — server gave up waiting.
← All HTTP status codes · HTTP status cheat sheet · HTTP headers reference