What Is a 403 Error?
Every response on the Web comes with an HTTP status code. Users don’t see most of them on their browsers. The browser uses them to do its work. The most common one, 200, says that the request succeeded. Others indicate a redirection to another URL, a software error, or a problem delivering the requested content.
The last category — that the server can’t or won’t deliver what was requested — uses numbers starting with 4, and those often are visible on the browser. Everyone has run into code 404, “not found.” It comes back when the user enters the wrong URL, or the page it used to serve is no longer available.
Code 403, meaning “forbidden,” isn’t as common, but most regular Web users have seen it. The World Wide Web Consortium’s official description is “The server understood the request but is refusing to fulfil it.” It generally means the content exists but isn’t available to the user.
Sometimes, this code indicates a bug on the server side. If OrangeWebsite hosts your content, we’ll help you to make sure your audience doesn’t get it by mistake.
Causes of 403 responses
A request can get a 403 response for several reasons. Some are legitimate rejections of the request, but others may indicate errors in setting up the server. Legitimate refusals can be for these reasons:
- The content is private, and the viewer isn’t logged in as its owner.
- The content is restricted to a set of authenticated users.
- The IP address in the request is prohibited. This can happen if the client is listed as a malicious site, or if the content is geographically restricted.
- The IP address is temporarily blocked, for reasons such as too many failed login attempts.
- Security software has flagged the request as malicious. For instance, its data might look like an SQL injection attempt.
A 403 response can result from a mistake in setting up the server:
- No default file manages the site’s configuration. This will happen if the user enters a request like http://example.com/ and there is no file with the name index.html or another name the server configuration recognizes as a default. The site configuration may allow directory listing, in which case the user will see a list of files instead. This option is a bad idea for both user-friendliness and security. The directory should have a default file.
- File permissions aren’t set up correctly. This often happens when the owner of a file is different from the user the Web server runs as. For instance, if a file belongs to “admin” and is readable only by its owner, and the server runs as “Apache,” it won’t be able to read the file and will return a 403 error.
- A bug or configuration error is making security software refuse legitimate requests.
- The .htaccess file, which controls the requests the server accepts, contains errors. A defective .htaccess file might block all requests or allow ones that shouldn’t be allowed.
Another possibility is that the user’s employer or ISP is blocking the request. Some countries mandate blocking on a nationwide scale. The blocking node returns a 403 code without passing the request to the server.
What to do
A legitimate 403 response is no problem, but if users are getting them when they shouldn’t, fixing the issue is necessary. This checklist will let the administrator fix many problems:
- Ensure the account the server runs under has all necessary file permissions. The simplest way is to have the content files belong to the same account. Alternatively, the files can belong to another user in the same group and be set as group-readable.
- Review the .htaccess file to ensure it does what is intended and doesn’t have syntax errors.
- Check that any security configuration software (e.g., mod_security) has the correct rules and isn’t excessively strict.
- If only certain users are getting 403 responses, try to find out if the site is on a blacklist.
Related status codes
The 403 response has a different meaning from other codes in the 400 and 500 series. Websites don’t always use the correct code, and sometimes it’s unclear which one should be used. These are some that might appear:
- 401 (unauthorized): The site asks the user to present credentials, such as a password, before making the content available. This is different from a request to log in to the site.
- 404 (not found): A site may use this when it doesn’t want unauthorized users to know it’s a valid URL. Giving a 403 response tells the user that something resides there, and sometimes that’s more information than they want to give.
- 406 (not acceptable): The content is available, but the request insisted on giving it in a form (e.g., a certain encoding) that the server can’t deliver.
- 410 (gone): The content is no longer available. This is rare; most sites use 404 in this situation.
- 451 (unavailable for legal reasons): This code is an IETF proposed standard. You may see it for legally blocked content as an alternative to 403. It could indicate regional blocking for copyright reasons or prohibition by a government. The number is a play on Ray Bradbury’s novel about book burning, Fahrenheit 451.
- 500 (internal server error): This usually indicates an uncaught error in the software running on the server.
- 503 (service unavailable): A server may return this when it’s down for maintenance or overloaded. The resource will be available at a later time.
We can help
If your site is hosted on OrangeWebsite, we’re ready to help you fix mysterious 403 errors and other problems. Our service is second to none, with an average ticket response time of just fifteen minutes. Signing up for site hosting is simple and quick, and we don’t believe in censorship. As long as your content complies with our terms of service and Iceland’s laws, it won’t be “forbidden.”