403 Forbidden Error

What is a 403 Forbidden
error?
A 403 Forbidden
error is an HTTP status code that can be returned from a web server to a client for a variety of reasons including IP blocking, bad file permissions, or if a user tries to access a hidden file. The web server will return a 403 Forbidden
error based on rules that are configured that tell the server when to deny certain requests. There are multiple variations of the 403
error which you might see dependent upon which server you are using. A few examples include:
- Error 403 Forbidden
- 403 Error
- Forbidden
- 403 Forbidden
- Nginx 403 Forbidden
- 403 Forbidden: Access Denied
- HTTP 403 Forbidden
- 403 Forbidden Error
- 403 Forbidden Nginx
Differences between 403 Forbidden
and 401 Unauthorized
errors
Both 401
and 403
errors are similar in a sense that they alert the visitor that they are unable to access a resource. However, each error occurs for separate reasons. A 401
error occurs when a request to a particular resource that requires authentication either does not provide authentication or the authentication provided fails.
A 403
error on the other hand, is returned when the authentication process is passed, but the user is not allowed to perform a particular operation or the operation is forbidden to all users. Examples of operations that may return a 403 Forbidden
error are explained in the sections below.
Zone Referrers
Implementing the use of Zone Referrers allows you to restrict HTTP referrers and will return an error 403
to any referrer that you do not specify as a Zone Referrer. This is also known as hotlink protection which can be implemented on your Apache or Nginx server.
KeyCDN offers the feature of implementing Zone Referrers in order to restrict others from referring to the content you have hosted on the CDN and thus won't use your bandwidth. Creating a Zone Referrer is easy and can be done directly from your KeyCDN dashboard.
HTTP 403 Forbidden
error causes
HTTP 403 Forbidden
errors can be caused due to a variety of reasons. The section below identifies a few possible causes and debugging suggestions for this error.
Bad permissions
403 Forbidden
errors can occur from file permissions not being set properly. Permissions can be modified using the chmod command in the command line. A quick guideline to the files that should use which permissions is shown below:
- Folders: 755
- Static Content: 644
- Dynamic Content: 700
Secure Token invalid
A Secure Token is a form of authentication that allows a URL to be accessible for a certain period of time. You have the ability to define the expiration time of the token, however once it expires, the content will no longer be accessible. If the token is invalid it will return the error 403
.
Hotlink protection
As mentioned in the previous section, enabling Zone Referrers within KeyCDN or hotlink protection on your web server will deliver a 403 Forbidden
error to referrers who aren't permitted to access your files. Double check you have set up your referrers correctly and have added all of the domains that should be able to access the website's resources.
Use the HTTP Header Checker tool to test your URL against an HTTP referrer to see if you receive a 403
error as expected.
Caching
A previously requested version of a URL returning a 403 Forbidden
error could still be cached in your browser's cache or any intermediary caches. Clearing your cache is a measure you can take to ensure you aren't being served old files.
Hidden files or wrong URL
If a user tries to access hidden files stored on your web server such as the .htaccess file, this will also return a 403 Forbidden
error. Hidden files are not meant to publicly accessible which is why the server restricts them and lets the user know they are forbidden to access them. Similarly, if a user incorrectly enters a URL, a 403 Forbidden
Nginx error message (or something similar) may also occur depending on what they have entered, for example, a directory instead of a file path.
Fixing an Nginx 403 Forbidden
error
In addition to the 403
error causes mentioned above, there are also a few things you can do to troubleshoot an Nginx 403 Forbidden
error.
No index file defined - When there is no index file present in the directory defined with the index directive, this can result in an Nginx
403 Forbidden
error. For example, consider the following index directive:index index.html index.htm index.php;
Nginx will search from left to right for the defined index files. Starting with
index.html
and ending withindex.php
, if none of the defined files are found, Nginx will return a403
error.IP based restrictions - Your
nginx.conf
file should also be verified to ensure you are not unintentionally denying a particular IP. Check the configuration file for directives similar todeny 192.x.x.x;
which will block said IP from accessing a particular directory, website, or your complete server (depending on where you define it).Autoindex Off - With Nginx, if you don't have an index file then a request gets passed on to the
ngx_http_autoindex_module
. If this module is set to off then you will likely receive an Nginx403 Forbidden
error. Setting this module to on should resolve the403
error. For example:location /directory { autoindex on; }
Summary
HTTP 403 Forbidden
errors can happen for a variety of reasons, however, they all mean the same thing - that you are being denied access to the resource you requested. Whether you are receiving a 403 Forbidden
Nginx error, Apache error, or from any other web server, try debugging the error with the suggestions mentioned above.
If you are using Zone Referrers with KeyCDN and are still getting 403
errors, try consulting our CDN Troubleshooting Guide under Are you getting 403 Forbidden
after you enabled Zone Referrers? for more information.