403 Forbidden Error
We have all encountered the infamous 404
not found error. But what does it mean when you try to access a page, only to be surprised by a message telling you that you don't have permission to access anything on your page? This error occurs when a client accesses a resource for which it does not have permission. Here we will show you the possible causes of the 403
error code and what you can do about it.
What is a 403 Forbidden error?
The 403 Forbidden
error is one of many HTTP status codes. What are HTTP status codes? Every time you connect to a web page with your browser, the web server uses what is called an HTTP status code to communicate with your browser. If everything works, the web server responds with a 200 status code. However, you don't notice this; you just get to the web page you have called. However, if something goes wrong, the web server responds with a differently numbered HTTP status code (e.g., 5xx or 4xx).
The web server returns a 403 Forbidden
error based on rules configured to tell the server when to deny certain requests. Your server knows what you want, but it won't let you do it for various reasons.
The most common reasons for a 403 Forbidden
are:
- IP blocking
- bad file permissions
- trying to access a hidden file
- problem with a plugin or adblocker
Variations of the 403 Forbidden error
There are multiple variations of the 403
error, which you might see dependent upon which server you are using. A few examples include:
- Error 403 Forbidden
- 403 Error
- Forbidden
- 403 Forbidden
- Nginx 403 Forbidden
- 403 Forbidden: Access Denied
- HTTP 403 Forbidden
- 403 Forbidden Error
- 403 Forbidden Nginx
- Forbidden - You do not have permission to access / this server
- 403 - Forbidden: Access has been denied
Differences between 403 Forbidden
and 401 Unauthorized
errors
Both 401
and 403
errors are similar in that they alert the visitor that they cannot access a resource. However, each error occurs for separate reasons. A 401
error occurs when a request to a particular resource that requires authentication either does not provide authentication or the authentication provided fails.
A 403
error, on the other hand, is returned when the authentication process is passed. Still, the user is not allowed to perform a particular operation, or the operation is forbidden to all users. Examples of operations that may return a 403 Forbidden
error are explained in the sections below.
Zone Referrers
Implementing the use of Zone Referrers allows you to restrict HTTP referrers and will return an error 403
to any referrer that you do not specify as a Zone Referrer. This is also known as hotlink protection which can be implemented on your Apache or Nginx server.
KeyCDN offers the feature of implementing Zone Referrers in order to restrict others from referring to the content you have hosted on the CDN and thus won't use your bandwidth. Creating a Zone Referrer is easy and can be done directly from your KeyCDN dashboard.
How to fix 403 Forbidden errors depending on the cause
HTTP 403 Forbidden
errors can be caused due to a variety of reasons. The section below identifies a few possible causes and debugging suggestions for this error.
Bad permissions
403 Forbidden
errors can occur from file permissions not being set properly. The folders and files on your site's server each have their own file permissions that clearly govern who can do what (read/write/execute). Permissions can be modified using the chmod command in the command line. A quick guideline to the files that should use which permissions are shown below:
- Folders: 755
- Static Content: 644
- Dynamic Content: 700
Secure Token invalid
A Secure Token is a form of authentication that allows a URL to be accessible for a certain period. You can define the expiration time of the token. However, once it expires, the content will no longer be accessible. If the token is invalid, it will return the error 403
.
Hotlink protection
As mentioned in the previous section, enabling Zone Referrers within KeyCDN or hotlink protection on your web server will deliver a 403 Forbidden
error to referrers who aren't permitted to access your files. Double-check that you have set up your referrers correctly and have added all the domains that should be able to access the website's resources.
Use the HTTP Header Checker tool to test your URL against an HTTP referrer to see if you receive a 403
error as expected.
Caching
A previously requested version of a URL returning a 403 Forbidden
error could still be cached in your browser's cache or any intermediary caches. Clearing your cache is a measure you can take to ensure you aren't being served old files.
Hidden files or wrong URL
If a user tries to access hidden files stored on your web server, such as the .htaccess
file, this will also return a 403 Forbidden
error. Hidden files are not meant to be publicly accessible, so the server restricts them and lets users know they are forbidden to access them. Similarly, suppose a user incorrectly enters a URL. In that case, a 403 Forbidden
Nginx error message (or something similar) may also occur depending on what they have entered, for example, a directory instead of a file path.
Check your plugins
It is possible the web server rejected your browser due to various active plugins and/or add-ons (for example, due to the use of an adblocker or proxy plugin). The most efficient way to find the problematic plugin is achieved with an exclusion procedure. You need to deactivate all your plugins and then reactivate them one by one. Once you find the plugin that causes the problem, you can either ask the plugin's developer for help or choose another equivalent plugin.
Firewall settings
If this does not lead to the desired result, there is still a possibility that the web server has a problem with your firewall and therefore gives you the HTTP error 403
in the browser. If you trust the site operator, you can disable the firewall and then try to open the website again. If this solves the problem, you can add an exception for the page in the firewall settings.
Fixing an Nginx 403 Forbidden error
In addition to the 403
error causes mentioned above, there are also a few things you can do to troubleshoot an Nginx 403 Forbidden
error.
No index file defined - When there is no index file present in the directory defined with the index directive, this can result in an Nginx
403 Forbidden
error. For example, consider the following index directive:index index.html index.htm index.php;
Nginx will search from left to right for the defined index files. Starting with
index.html
and ending withindex.php
, if none of the defined files are found, Nginx will return a403
error.IP based restrictions - Your
nginx.conf
file should also be verified to ensure you are not unintentionally denying a particular IP. Check the configuration file for directives similar todeny 192.x.x.x;
which will block said IP from accessing a particular directory, website, or your complete server (depending on where you define it).Autoindex Off - With Nginx, if you don't have an index file then a request gets passed on to the
ngx_http_autoindex_module
. If this module is set to off then you will likely receive an Nginx403 Forbidden
error. Setting this module to on should resolve the403
error. For example:location /directory { autoindex on; }
Summary
HTTP 403 Forbidden
errors can happen for various reasons; however, they all mean the same thing - that you are being denied access to the requested resource. Whether you are receiving a 403 Forbidden
Nginx error, Apache error, or from any other web server, try debugging the error with the suggestions mentioned above.
If you are not a website operator but a visitor and receive the error message when you visit a website, you should look closely at your browser settings and/or your firewall.
However, website operators protect certain directories of an online offering from "directory browsing". It may also happen that the website administrator has configured the permissions incorrectly. In this case, you have no choice but to contact the website operators and ask for the reason for the 403 error.
If you are using Zone Referrers with KeyCDN and are still getting 403
errors, try consulting our CDN Troubleshooting Guide under Are you getting 403 Forbidden
after you enabled Zone Referrers? for more information.