HTTP 403: Difference between revisions

Content deleted Content added

Inline

Revision as of 16:16, 7 July 2019

HTTP 403 is a standard HTTP status code communicated to clients by an HTTP server to indicate that access to the requested (valid) URL by the client is Forbidden for some reason. The server understood the request, but will not fulfil it due to client related issues. IIS defines non standard "sub-status" error codes that provide a more specific reason for responding with the 403 status code.

Specification

HTTP 403 provides a distinct error case from HTTP 401; while HTTP 401 is returned when the client has not authenticated, and implies that a successful response may be returned following valid authentication, HTTP 403 is returned when the client is not permitted access to the resource despite providing authentication such as insufficient permissions of the authenticated account.

Error 403: "The server understood the request, but is refusing to authorize it.", RFC 7231^[1]

Error 401: "The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials." RFC2616^[2]

See "403 substatus error codes for IIS" for possible reasons of why the webserver is refusing to fulfil the request.

The Apache web server returns 403 Forbidden in response to requests for URL paths that correspond to file system directories when directory listings have been disabled in the server and there is no Directory Index directive to specify an existing file to be returned to the browser. Some administrators configure the Mod proxy extension to Apache to block such requests and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory listings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header or issued a Depth header of infinity.^[3]

403 substatus error codes for IIS

File:Screenshot - Access denied Statistics and Data U.N. Website.png

Screenshot - Access denied for statistics and data section in U.N website

The following nonstandard codes are returned by Microsoft's Internet Information Services and are not officially recognized by IANA.

403.1 - Execute access forbidden.
403.2 - Read access forbidden.
403.3 - Write access forbidden.
403.4 - SSL required
403.5 - SSL 128 required.
403.6 - IP address rejected.
403.7 - Client certificate required.
403.8 - Site access denied.
403.9 - Too many users.
403.10 - Invalid configuration.
403.11 - Password change.
403.12 - Mapper denied access.
403.13 - Client certificate revoked.
403.14 - Directory listing denied.
403.15 - Client Access Licenses exceeded.
403.16 - Client certificate is untrusted or invalid.
403.17 - Client certificate has expired or is not yet valid.
403.18 - Cannot execute request from that application pool.
403.19 - Cannot execute CGIs for the client in this application pool.
403.20 - Passport logon failed.
403.21 - Source access denied.
403.22 - Infinite depth is denied.
403.502 - Too many requests from the same client IP; Dynamic IP Restriction limit reached.
403.503 - Rejected due to IP address restriction

References

^ Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. sec. 6.5.3. doi:10.17487/RFC7231. RFC 7231.
^ "RFC 2616 - Hypertext Transfer Protocol - HTTP/1.1". Tools.ietf.org. Retrieved 2018-04-09.
^ "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)". IETF. June 2007. Archived from the original on March 3, 2016. Retrieved January 11, 2016. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

[1] Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. IETF. sec. 6.5.3. doi:10.17487/RFC7231. RFC 7231.

[2] "RFC 2616 - Hypertext Transfer Protocol - HTTP/1.1". Tools.ietf.org. Retrieved 2018-04-09.

[RFC-3] "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)". IETF. June 2007. Archived from the original on March 3, 2016. Retrieved January 11, 2016. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)

[1]

[2]

[3]

@@ Line 32: / Line 32: @@
 ==403 substatus error codes for IIS==
 [[File:English Wikipedia 403 2017.jpg|thumb|[[English Wikipedia|en.Wikipedia]] error message]]
+[[File:Screenshot - Access denied Statistics and Data U.N. Website.png|thumb|235x235px|[[Screenshot]] - Access denied for statistics and data section in [[United Nations|U.N]] website]]
 The following nonstandard codes are returned by [[Microsoft]]'s [[Internet Information Services]] and are not officially recognized by [[Internet Assigned Numbers Authority|IANA]].

v t e Error messages
System failure	Bomb icon Fatal system error Guru Meditation Kernel panic Linux kernel oops Red Ring of Death Sad Mac Screen of death Blue Black
Application failure	ABEND Fatal exception error Segmentation fault
Device and data errors	HTTP 402 HTTP 403 HTTP 404 HTTP 500 lp0 on fire Not a typewriter PC LOAD LETTER
Other	Abort, Retry, Fail? Bad command or file name Halt and Catch Fire HTTP 418 Out of memory Does not compute
Lists	List of HTTP status codes List of FTP server return codes List of SMTP server return codes
Related	Spinning pinwheel Windows wait cursor 2024 CrowdStrike incident

Revision as of 16:16, 7 July 2019

Specification

403 substatus error codes for IIS

See also

References