401 signals authentication required or failed; 403 signals authenticated or anonymous access is denied by policy.

Often directory listing off, wrong chmod, or S3 bucket policy blocking public reads.

403 only in production?

Compare env-based feature flags, IP allowlists, and CORS vs CSRF settings.

Error fix

How to fix “403 Forbidden”

The server refuses to fulfill the request—permissions, IP rules, or policy blocked access.

Start here first. Step 1 fixes most cases—then work down the list.

Why this works

These steps work because it clears stale cached state that can cause the same request to fail repeatedly.

Unlike 401 (not authenticated), 403 usually means the server knows who you are—or allows anonymous—but will not authorize this resource.

ACLs and roles
Missing role, wrong tenant, or object-level permissions in the app.
Edge rules
WAF, geo block, hotlink protection, or bot scoring.

Confirm identity and policy
1. Verify cookies/tokens and that the user has the right role for the URL.
2. Review WAF/geo/IP allowlists and recent rule changes.
3. Check file permissions on static hosts (bucket policies, nginx deny).

Also see: 403 — browse the HTTP status hub.

403 vs 401?: 401 signals authentication required or failed; 403 signals authenticated or anonymous access is denied by policy.
403 on static files?: Often directory listing off, wrong chmod, or S3 bucket policy blocking public reads.
403 only in production?: Compare env-based feature flags, IP allowlists, and CORS vs CSRF settings.

Still stuck? Try these related fixes next.

Tweak the message and run again—we'll match an existing fix or generate a new page.

Original error message

403 Forbidden