4xx Client ErrorCommonly usedRFC 9110
403Forbidden
Server understood the request but refuses to authorize it.
What it means
The client is authenticated but does not have permission to access the requested resource. Unlike 401, re-authenticating will not help. The server knows who you are but you are not allowed to do what you are trying to do.
When to use it
- ✓Authenticated user lacks the required role or permission
- ✓Trying to access another user's private data
- ✓Admin-only route accessed by regular user
- ✓IP is blocked or rate limit exceeded
Common causes
- →User does not have the required role (e.g. admin)
- →Accessing another user's resource
- →CORS policy blocking the request
- →File permissions preventing access
Code Examples
Express — role-based access
javascript
const requireRole = (role) => (req, res, next) => {
if (!req.user) {
return res.status(401).json({ error: 'Not authenticated' });
}
if (!req.user.roles.includes(role)) {
return res.status(403).json({
error: 'Forbidden',
message: `Requires ${role} role`,
});
}
next();
};
app.delete('/users/:id', requireRole('admin'), handler);