Common Causes
- Wrong file permissions — file or directory on server is not readable by the web server
- Directory listing disabled — no index file in a directory with listing off
- IP blocked — server has blocked your IP address
- Hotlinking blocked — trying to directly link to a resource on another server
- Insufficient role/permission — authenticated user doesn't have required role
- .htaccess restriction — access rule in .htaccess denies the request
403 vs 401
| Code | Authentication | Authorisation | Fix |
|---|
| 401 | Missing/invalid | N/A | Provide credentials |
| 403 | Valid (or not required) | Insufficient | Request elevated permissions |
Server Configuration (Linux/Apache)
# Check file permissions — web server needs read access
chmod 644 /var/www/html/file.html # files
chmod 755 /var/www/html/directory/ # directories
# .htaccess — block access to sensitive files
<Files "*.env">
Require all denied
</Files>
# Block directory listing
Options -Indexes
Handling 403 in Your App
// Don't send the user to login on 403 — they ARE logged in
if (res.status === 403) {
showError('You don't have permission to access this resource.');
// Optionally redirect to a 403 page
// window.location.href = '/403';
}