403 Forbidden Error

What is a 403 Forbidden error?

A 403 Forbidden error is an HTTP status code that can be returned from a web server to a client for a variety of reasons including IP blocking, bad file permissions, or if a user tries to access a hidden file. The web server will return a 403 Forbidden error based on rules that are configured that tell the server when to deny certain requests. There are multiple variations of the 403 error which you might see dependent upon which server you are using. A few examples include:

• Error 403 Forbidden
• 403 Error
• Forbidden
• 403 Forbidden
• Nginx 403 Forbidden
• 403 Forbidden: Access Denied
• HTTP 403 Forbidden
• 403 Forbidden Error
• 403 Forbidden Nginx

Differences between 403 Forbidden and 401 Unauthorized errors

Both 401 and 403 errors are similar in a sense that they alert the visitor that they are unable to access a resource. However, each error occurs for separate reasons. A 401 error occurs when a request to a particular resource that requires authentication either does not provide authentication or the authentication provided fails.

A 403 error on the other hand, is returned when the authentication process is passed, but the user is not allowed to perform a particular operation or the operation is forbidden to all users. Examples of operations that may return a 403 Forbidden error are explained in the sections below.

Zone Referrers

Implementing the use of Zone Referrers allows you to restrict HTTP referrers and will return an error 403 to any referrer that you do not specify as a Zone Referrer. This is also known as hotlink protection which can be implemented on your Apache or Nginx server.

KeyCDN offers the feature of implementing Zone Referrers in order to restrict others from referring to the content you have hosted on the CDN and thus won’t use your bandwidth. Creating a Zone Referrer is easy and can be done directly from your KeyCDN dashboard.

HTTP 403 Forbidden error causes

HTTP 403 Forbidden errors can be caused due to a variety of reasons. The section below identifies a few possible causes and debugging suggestions for this error.

Bad permissions

403 Forbidden errors can occur from file permissions not being set properly. Permissions can be modified using the chmod command in the command line. A quick guideline to the files that should use which permissions is shown below:

• Folders: 755
• Static Content: 644
• Dynamic Content: 700

Secure Token invalid

A Secure Token is a form of authentication that allows a URL to be accessible for a certain period of time. You have the ability to define the expiration time of the token, however once it expires, the content will no longer be accessible. If the token is invalid it will return the error 403.

Hotlink protection

As mentioned in the previous section, enabling Zone Referrers within KeyCDN or hotlink protection on your web server will deliver a 403 Forbidden error to referrers who aren’t permitted to access your files. Double check you have set up your referrers correctly and have added all of the domains that should be able to access the website’s resources.

Use the HTTP Header Checker tool to test your URL against an HTTP referrer to see if you receive a 403 error as expected.

Caching

A previously requested version of a URL returning a 403 Forbidden error could still be cached in your browser’s cache or any intermediary caches. Clearing your cache is a measure you can take to ensure you aren’t being served old files.

Hidden files or wrong URL

If a user tries to access hidden files stored on your web server such as the .htaccess file, this will also return a 403 Forbidden error. Hidden files are not meant to publicly accessible which is why the server restricts them and lets the user know they are forbidden to access them. Similarly, if a user incorrectly enters a URL, a 403 Forbidden Nginx error message (or something similar) may also occur depending on what they have entered, for example, a directory instead of a file path.

Fixing an Nginx 403 Forbidden error

In addition to the 403 error causes mentioned above, there are also a few things you can do to troubleshoot an Nginx 403 Forbidden error.

• No index file defined - When there is no index file present in the directory defined with the index directive, this can result in an Nginx 403 Forbidden error. For example, consider the following index directive:

  index index.html index.htm index.php;
  

  Nginx will search from left to right for the defined index files. Starting with index.html and ending with index.php, if none of the defined files are found, Nginx will return a 403 error.

• IP based restrictions - Your nginx.conf file should also be verified to ensure you are not unintentionally denying a particular IP. Check the configuration file for directives similar to deny 192.x.x.x; which will block said IP from accessing a particular directory, website, or your complete server (depending on where you define it).

• Autoindex Off - With Nginx, if you don’t have an index file then a request gets passed on to the ngx_http_autoindex_module. If this module is set to off then you will likely receive an Nginx 403 Forbidden error. Setting this module to on should resolve the 403 error. For example:

  location /directory {
      autoindex on;
  }
  

Summary

HTTP 403 Forbidden errors can happen for a variety of reasons, however, they all mean the same thing - that you are being denied access to the resource you requested. Whether you are receiving a 403 Forbidden Nginx error, Apache error, or from any other web server, try debugging the error with the suggestions mentioned above.

If you are using Zone Referrers with KeyCDN and are still getting 403 errors, try consulting our CDN Troubleshooting Guide under Are you getting 403 Forbidden after you enabled Zone Referrers? for more information.