HTTP 403 Error: Forbidden

Access forbidden: understand and resolve.

The HTTP 403 "Forbidden" error indicates that the server understood the request but refuses to authorize it. Unlike 401 which requests authentication, 403 means that even valid authentication won't grant access to the resource.

This code is used when the server wants to explicitly deny access: incorrect file permissions, Web Application Firewall (WAF) rules, IP or geographic restrictions, or simply insufficient user permissions for the requested action.

For monitoring, 403 can be intentional (protected resources) or signal a configuration problem. A sudden 403 on a normally accessible resource often indicates a permission change after deployment or a security rule modification.

Main causes of 403 errors

The 403 error can come from many sources. Here are the most common:

  • File permissions: On Linux/Unix, files with 600 permissions or folders without execute permission (644) prevent the web server from accessing them.
  • .htaccess rules: Deny from all directives, Require all denied, or IP restrictions can block access.
  • Web Application Firewall (WAF): Cloudflare, AWS WAF, or ModSecurity can block requests deemed suspicious (suspect user-agent, attack pattern).
  • IP/geo restrictions: Some resources are only accessible from certain IPs or geographic zones.

Difference between 403 and 401

These two codes are often confused but have very different meanings:

  • 403 Forbidden: The server knows who you are (or not) but refuses access. Providing credentials won't change anything.
  • 401 Unauthorized: The server doesn't know who you are. Providing valid credentials should solve the problem.
  • In practice: 401 = "Identify yourself". 403 = "Even identified, you don't have permission".
  • Semantic choice: Some prefer returning 404 instead of 403 to not reveal the existence of a protected resource.

Resolving 403 errors

Based on the identified cause, here are the solutions to apply:

  • Fix permissions: chmod 644 for files, 755 for folders. The owner must be the web server user (www-data, apache).
  • Modify .htaccess: Replace Deny from all with more specific rules or add exceptions for legitimate IPs.
  • Configure WAF: Add exception rules (whitelist) for monitoring IPs or legitimate user-agents.
  • Check application permissions: In the application, ensure the user has the required roles/permissions for the action.

Configuration examples

Here are configuration examples for managing permissions and access:

# Linux - Fix permissions
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
chown -R www-data:www-data /var/www/html

# Apache .htaccess - Allow certain IPs
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
Allow from 10.0.0.0/8

# Nginx - IP restriction
location /admin {
    allow 192.168.1.0/24;
    deny all;
}

# PHP - Permission check
if (!$user->hasPermission("admin.access")) {
    http_response_code(403);
    exit("Access forbidden");
}

File permissions and web server rules must be coordinated for correct access.

Monitoring and 403 errors

403 in monitoring requires special attention:

  • IP whitelist: Add MoniTao server IPs to your whitelist if your resources are IP-protected.
  • User-Agent: Some WAFs block unknown user-agents. Configure an exception for the MoniTao user-agent.
  • Appropriate alert: Configure your monitors to alert on unexpected 403 (normally accessible resources).
  • Post-deployment test: After each deployment, verify that permissions haven't changed unexpectedly.

Permissions and access checklist

  • Files with 644 permissions (rw-r--r--)
  • Folders with 755 permissions (rwxr-xr-x)
  • Correct owner (www-data, apache, nginx)
  • .htaccess not unintentionally blocking
  • Monitoring IPs whitelisted if needed
  • WAF configured to allow monitoring

Frequently asked questions about HTTP 403

Why 403 and not 404 for a protected resource?

403 reveals the resource exists. Some use 404 for admin pages to avoid drawing attention. This is security through obscurity, not a requirement.

My monitoring triggers the WAF and receives 403. What to do?

Whitelist MoniTao IPs in your WAF, or create an exception rule based on user-agent. Verify that monitoring request patterns don't look like attacks.

403 appears after git pull or deployment. Why?

Git can modify file permissions. After deployment, run appropriate chmod/chown commands. Integrate them into your deployment script.

How to monitor an IP-protected page without whitelist?

If you can't whitelist MoniTao IPs, configure a specific unprotected health check endpoint, or use an internal reverse proxy.

Cloudflare blocks my monitoring requests with 403. What to do?

In Cloudflare, go to Security > WAF and create an exception rule for MoniTao IPs or monitoring user-agent. You can also lower the security level.

What's the difference between 403 and 451?

403 indicates a general access refusal. 451 (Unavailable For Legal Reasons) indicates access is blocked for legal reasons (censorship, DMCA, etc.).

Conclusion

The HTTP 403 Forbidden error means the server explicitly refuses access to the resource. Causes range from file permissions to WAF rules, including application restrictions. Understanding the source of 403 is essential to resolving it.

For monitoring with MoniTao, ensure you whitelist monitoring IPs if necessary. A sudden 403 on a normally accessible resource should trigger an alert and immediate investigation of permissions or security rules.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing