HTTP 403 Response Status Code Guide: What is it, Usage, Methods

May 26 2024 by Oskay Günaçar

What Is HTTP 403 Status Code?

The HTTP 403 Status Code is an error message indicating that the server understands the request but refuses to authorize it. This status code, also known as "Forbidden," typically means that the client does not have the necessary permissions to access the requested resource, even though the client's identity may be known to the server.

Some common reasons for a 403 status code include:

  1. Authentication Issues: The client is authenticated but does not have the necessary permissions to access the resource.
  2. IP Address Blocking: The server is configured to block access from certain IP addresses.
  3. Directory Browsing Disabled: The server is configured to prevent directory listing, and there is no default index file present.
  4. File or Directory Permissions: The file or directory permissions on the server do not allow access to the resource.
  5. Access Control Configurations: The server's access control configurations explicitly deny access to the resource for the client.

To resolve a 403 status code, you may need to:

  • Check and adjust the permissions or access control settings on the server.
  • Verify that the client has the necessary authentication and authorization.
  • Ensure the server configuration does not inadvertently block the client.
  • Contact the server administrator for further assistance if needed.

Importance of the HTTP 403 Status Code in SEO

The HTTP 403 Status Code, indicating "Forbidden," plays a significant role in SEO (Search Engine Optimization) for several reasons:

Site Accessibility

The HTTP 403 status code directly impacts the accessibility of a website's content. Search engine bots, like Googlebot, need to access and crawl the site to index its pages. If a 403 status code is encountered, these bots are blocked from accessing the content, which can negatively affect the site's visibility in search engine results.

Crawl Efficiency

Efficient crawling is crucial for SEO as it allows search engines to discover and index new and updated content. A 403 status code can waste the crawl budget allocated to your site, meaning that search engines might not crawl other important pages, leading to decreased indexing efficiency.

User Experience

A 403 status code can create a poor user experience if legitimate users are blocked from accessing content they should be able to see. Poor user experience can increase bounce rates and reduce the time spent on the site, both of which are negative signals to search engines and can harm SEO rankings.

Error Monitoring and Resolution

Monitoring for 403 errors helps identify and resolve access issues promptly. Regularly checking server logs and using tools like Google Search Console can help detect these errors. Resolving them ensures that both users and search engine bots can access the content, maintaining and potentially improving SEO performance.

Site Security

While a 403 status code can indicate access restrictions for security purposes, it is essential to balance security measures with accessibility. Properly configured security settings that prevent unauthorized access while allowing legitimate search engine bots can protect the site without compromising SEO.

How to Use HTTP 403 Status Code for a Website

Using the HTTP 403 status code for a website involves configuring your server to return this code when certain conditions are met. Here’s how to properly use the HTTP 403 status code:

When to Use HTTP 403 Status Code

  1. Unauthorized Access Attempts: When users or bots try to access restricted areas without proper permissions.
  2. IP Blocking: When you want to block access from specific IP addresses.
  3. Directory Browsing: When you want to prevent users from viewing the contents of a directory without an index file.
  4. Specific Resource Protection: When certain files or resources should not be accessible to everyone.

Implementing HTTP 403 Status Code

1. Using .htaccess File (For Apache Servers)

The .htaccess file allows you to control the server’s behavior at the directory level. To implement a 403 status code:

Blocking IP Addresses:

<RequireAll>
    Require all granted
    Require not ip 192.168.1.100
</RequireAll>

Denying Access to Specific Files:

<Files "secretfile.txt">
    Require all denied
</Files>

Preventing Directory Listing:

Options -Indexes

2. Using web.config File (For IIS Servers)

For Windows servers running IIS, you can use the web.config file to control access.

Blocking IP Addresses:

<configuration>
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="true">
                <add ipAddress="192.168.1.100" allowed="false" />
            </ipSecurity>
        </security>
    </system.webServer>
</configuration>

Denying Access to Specific Files:

<configuration>
    <system.webServer>
        <security>
            <authorization>
                <add accessType="Deny" users="*" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

3. Using Nginx Configuration

For servers running Nginx, you can configure the nginx.conf file.

Blocking IP Addresses:

server {
    location / {
        deny 192.168.1.100;
        allow all;
    }
}

Denying Access to Specific Files:

server {
    location /secretfile.txt {
        deny all;
    }
}

4. Application-Level Control

If you are using a web application framework like Django, Flask, or Node.js, you can control access at the application level.

Example in Flask (Python):

from flask import Flask, abort

app = Flask(__name__)

@app.route('/secret')
def secret():
    abort(403)

if __name__ == '__main__':
    app.run()

Example in Express (Node.js):

const express = require('express');
const app = express();

app.get('/secret', (req, res) => {
    res.sendStatus(403);
});
app.listen(3000, () => {
    console.log('Server running on port 3000');
});

Customizing 403 Error Pages

Providing a custom error page for 403 errors can improve user experience.

Example for Apache:

ErrorDocument 403 example.com/error-pages/403.html

Example for IIS:

<configuration>
    <system.webServer>
        <httpErrors>
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="403" path="example.com/error-pages/403.html" responseMode="ExecuteURL" />
        </httpErrors>
    </system.webServer>
</configuration>

Monitoring and Managing

Regularly monitor your server logs to detect and analyze 403 errors. This helps in understanding the reasons behind these errors and allows you to take corrective actions if needed.

By appropriately using the HTTP 403 status code, you can enhance security, control access to sensitive resources, and provide a better experience for legitimate users.

How to Check HTTP 403 Status Code?

Checking for an HTTP 403 status code can be done using various methods, including browser developer tools, command-line tools, and online services. Here are some common methods to check for an HTTP 403 status code:

1. Using Browser Developer Tools

Most modern web browsers come with built-in developer tools that allow you to inspect network requests and responses.

Steps:

  1. Open Developer Tools:

    • In Chrome: Right-click on the page and select "Inspect" or press Ctrl+Shift+I (Windows) or Cmd+Option+I (Mac).
    • In Firefox: Right-click on the page and select "Inspect Element" or press Ctrl+Shift+I (Windows) or Cmd+Option+I (Mac).
    • In Edge: Right-click on the page and select "Inspect" or press Ctrl+Shift+I.

  2. Go to the Network Tab:

    • Navigate to the "Network" tab within the developer tools.

  3. Refresh the Page:

    • Refresh the page (F5) to see the network requests.

  4. Inspect the Requests:

    • Look for the specific request you are interested in. If the request is returning a 403 status code, it will be listed in the "Status" or "Response" column.

2. Using Command-Line Tools

cURL

cURL is a command-line tool that can be used to make HTTP requests and view responses.

Example Command:

curl -I https://www.example.com/protected-resource

Explanation:

  • -I fetches the headers only.
  • The response will show the HTTP status code along with other headers.

HTTPie

HTTPie is a user-friendly HTTP client for the command line.

Example Command:

http https://www.example.com/protected-resource

Explanation:

  • This will show the full response including the status code and headers.

3. Using Online Tools

There are several online tools that allow you to check the HTTP status code of a URL.

Examples:

  • HTTP Status Code Checker: Websites like TechSEOHub allow you to enter a URL and see the HTTP status code and response headers.

4. Using Programming Languages

Python

You can use the requests library in Python to check the status code.

Example Code:

import requests

response = requests.get('https://www.example.com/protected-resource')
print(response.status_code)

JavaScript (Node.js)

Using Node.js with the axios library:

Example Code:

const axios = require('axios');

axios.get('https://www.example.com/protected-resource')
    .then(response => {
        console.log(response.status);  // Will log the status code
    })
    .catch(error => {
        if (error.response) {
            console.log(error.response.status);  // Will log the status code if there's an error
        } else {
            console.log('Error:', error.message);
        }
    });

Summary

  • Browser Developer Tools: Inspect network requests directly within your browser.
  • Command-Line Tools: Use cURL or HTTPie to make HTTP requests and view status codes.

  • Online Tools: Utilize online services like TechSEOHub's HTTP Status Code Checker, check the status code of a URL.

  • Programming Languages: Write scripts in Python or JavaScript (Node.js) to check the status code programmatically.

By using these methods, you can effectively check for and diagnose HTTP 403 status codes on your website.

Which HTTP Method is used with HTTP 403 Status Code?

The HTTP 403 status code can be returned for any HTTP method, as it indicates that the server understands the request but refuses to authorize it. This means the server is denying access regardless of the HTTP method used. Here are some common HTTP methods that might return a 403 status code:

Common HTTP Methods

  1. GET: Used to request data from a specified resource. A 403 response means that the requested resource is forbidden and the client does not have permission to access it.

    curl -I https://www.example.com/protected-resource 
# Response: HTTP/1.1 403 Forbidden

  2. POST: Used to submit data to be processed to a specified resource. A 403 response means that the server understands the request but the client does not have permission to perform this action.

    curl -X POST https://www.example.com/protected-resource -d "param=value" 
# Response: HTTP/1.1 403 Forbidden

  3. PUT: Used to upload a representation of the specified resource. A 403 response indicates that the client does not have permission to update or create the resource at the specified URL.

    curl -X PUT https://www.example.com/protected-resource -d "param=value" 
# Response: HTTP/1.1 403 Forbidden

  4. DELETE: Used to delete the specified resource. A 403 response means that the client does not have permission to delete the resource.

    curl -X DELETE https://www.example.com/protected-resource 
# Response: HTTP/1.1 403 Forbidden

  5. PATCH: Used to apply partial modifications to a resource. A 403 response indicates that the client does not have permission to partially update the resource.

    curl -X PATCH https://www.example.com/protected-resource -d "param=value" 
# Response: HTTP/1.1 403 Forbidden

  6. OPTIONS: Used to describe the communication options for the target resource. A 403 response indicates that the client does not have permission to access the communication options for the resource.

    curl -X OPTIONS https://www.example.com/protected-resource 
# Response: HTTP/1.1 403 Forbidden

Best Practices for Handling HTTP 403

Handling HTTP 403 status codes effectively involves understanding why they occur and implementing strategies to manage them in a way that maintains both security and user experience. Here are some best practices:

1. Clear Communication

  • Custom Error Pages: Create custom 403 error pages that clearly explain why access is denied and provide guidance on what the user can do next. This helps in maintaining a good user experience.

    ErrorDocument 403 example.com/error-pages/403.html

    Example for a custom error page:

    <!DOCTYPE html>
<html>
<head>
    <title>Access Denied</title>
</head>
<body>
    <h1>403 Forbidden</h1>
    <p>You do not have permission to access this resource. If you believe this is an error, please contact support.</p>
</body>
</html>

2. Proper Authorization and Authentication

  • Verify Permissions: Ensure that the user has the necessary permissions before allowing access to restricted resources. Implement role-based access control (RBAC) where appropriate.
  • Authentication Checks: Ensure that users are properly authenticated before checking their permissions.

3. Log and Monitor

  • Logging: Log all 403 errors to identify patterns or potential security issues. Include details such as IP addresses, requested URLs, and user agents.
  • Monitoring: Regularly monitor your logs to detect and investigate unusual access patterns or repeated attempts to access forbidden resources.

4. Secure Configuration

  • File and Directory Permissions: Set proper file and directory permissions on the server to prevent unauthorized access.

    Example for setting permissions on Linux:

    chmod 750 /path/to/directory

  • Access Control: Use server configuration files to control access to resources. This can include .htaccess for Apache, web.config for IIS, or nginx.conf for Nginx.

    Example for Apache .htaccess:

    <Files "sensitive-data.txt">
    Require all denied
</Files>

5. Use of Security Tools

  • Web Application Firewalls (WAF): Implement a WAF to protect your site from malicious requests and to manage access control.
  • IP Whitelisting/Blacklisting: Use IP whitelisting to allow only trusted IP addresses and blacklisting to block suspicious IP addresses.

6. User Feedback

  • Feedback Mechanism: Provide a way for users to report issues if they believe they are incorrectly receiving a 403 error. This could be a contact form or support email address on the custom error page.

7. SEO Considerations

  • Avoid Blocking Search Engine Crawlers: Ensure that search engine crawlers are not unintentionally blocked by your access control settings. Use the robots.txt file to manage crawler access.

    Example of robots.txt:

    User-agent: *
Disallow: /admin/

8. Regular Reviews and Updates

  • Periodic Reviews: Regularly review and update your access control policies and permissions to ensure they align with your current security requirements.
  • Update Documentation: Keep your documentation up-to-date with the latest access control configurations and best practices.

Example Scenarios and Responses

  • Unauthorized Access Attempt: A user without the necessary permissions attempts to access a restricted area.

    Response: Display a custom 403 error page explaining the lack of permissions and suggesting they contact support if they believe it's an error.

  • Blocked IP Address: A request comes from a blocked IP address.

    Response: Log the attempt and display a 403 error page. If the block is temporary, inform the user about the duration or reason for the block.

By following these best practices, you can handle HTTP 403 status codes effectively, maintaining security while ensuring a positive user experience.

Conclusion

In summary, the HTTP 403 status code is a vital part of web server responses that indicates a client's request is understood but forbidden due to lack of proper authorization. While it serves an important role in maintaining security and access control, it's essential to handle 403 errors effectively to avoid negative impacts on user experience and SEO.

By implementing best practices such as clear communication through custom error pages, proper authorization and authentication checks, regular logging and monitoring, secure configuration, and thoughtful use of security tools, you can manage 403 errors efficiently. Additionally, ensuring that search engine crawlers are not inadvertently blocked and providing mechanisms for user feedback can help maintain a positive user experience and improve your site's SEO performance.

Regularly reviewing and updating your access control policies and keeping documentation up-to-date will ensure your site's security measures are both robust and user-friendly. By balancing security needs with accessibility, you can protect sensitive resources while providing a seamless experience for legitimate users and search engine bots alike.

Oskay Günaçar
Oskay Günaçar is a Technical SEO expert and backend developer. His main areas of interest are back-end programming, Python, Django, Go, semantic SEO, technical SEO. With more than 5 years of SEO experience, he has held SEO specialist positions at İkiler, Webtures, Boosmart, and Storyly.io companies, and has been involved in numerous projects as an outsourced expert. Through the TechSEOHub website, he aims to share the expertise and experience he has gained from managing and developing (SEO) processes for many successful and large websites in the industry, and to produce content for easy access to accurate and high-quality information.