HTTP 403 Forbidden — Permissions and CORS Issues

HTTP 403 Forbidden

A 403 error means the server understood the request but refuses to authorize it. Unlike 401 (where the client has not identified itself), 403 means the client's identity may be known but they lack permission.

401 vs 403

Code	Meaning	Action
401	"Who are you?"	Provide authentication credentials
403	"I know who you are, but no."	Request different permissions

Common Causes

1. CORS preflight failure:

Access to fetch at 'https://api.example.com/data'
from origin 'http://localhost:3000' has been blocked by CORS policy

This appears as a 403 but is actually a CORS issue. Fix on the server:

// Express
app.use(cors({
  origin: 'http://localhost:3000',
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization']
}));

2. Insufficient API permissions:

// GitHub API: token has "read:user" but endpoint needs "repo" scope
// AWS: IAM policy denying s3:PutObject
// Google Cloud: service account missing required role

3. IP-based restrictions:

# Nginx IP whitelist
location /admin {
    allow 192.168.1.0/24;
    deny all;  # 403 for everyone else
}

4. File permissions (static files):

# Web server cannot read the file
ls -la /var/www/html/page.html
# -rw------- 1 root root  # Only root can read!

# Fix
chmod 644 /var/www/html/page.html
chown www-data:www-data /var/www/html/page.html

5. WAF/security rules: Web Application Firewalls (Cloudflare, AWS WAF, ModSecurity) may block requests that match suspicious patterns, returning 403.

Debugging Steps

1. Check if the request works with different credentials
2. Verify CORS configuration for browser requests
3. Check API key scopes and permissions
4. Review server access logs for the specific denial reason
5. Test from a different IP address to rule out IP blocking
6. Check WAF/CDN rules if using one