HTTP Error 403 - Forbidden

Introduction

Your Web server thinks that the HTTP data stream sent by the client (e.g. your Web browser or our CheckUpDown robot) was correct, but access to the resource identified by the URL is forbidden for some reason.

This indicates a fundamental access problem, which may be difficult to resolve because the HTTP protocol allows the Web server to give this response without providing any reason at all. So the 403 error is equivalent to a blanket 'NO' by your Web server - with no further discussion allowed.

By far the most common reason for this error is that directory browsing is forbidden for the Web site. Most Web sites want you to navigate using the URLs in the Web pages for that site. They do not often allow you to browse the file directory structure of the site. For example try the following URL (then hit the 'Back' button in your browser to return to this page):

http://www.checkupdown.com/accounts/grpb/B1394343/

This URL should fail with a 403 error saying "Forbidden: You don't have permission to access /accounts/grpb/B1394343/ on this server". This is because our CheckUpDown Web site deliberately does not want you to browse directories - you have to navigate from one specific Web page to another using the hyperlinks in those Web pages. This is true for most Web sites on the Internet - their Web server has "Allow directory browsing" set OFF.

403 errors in the HTTP cycle

Any client (e.g. your Web browser or our CheckUpDown robot) goes through the following cycle:

  • Obtain an IP address from the IP name of your site (your site URL without the leading 'http://'). This lookup (conversion of IP name to IP address) is provided by domain name servers (DNSs).
  • Open an IP socket connection to that IP address.
  • Write an HTTP data stream through that socket.
  • Receive an HTTP data stream back from your Web server in response. This data stream contains status codes whose values are determined by the HTTP protocol. Parse this data stream for status codes and other useful information.

This error occurs in the final step above when the client receives an HTTP status code that it recognises as '403'.

Resolving 403 errors - general

You first need to confirm if you have encountered a "No directory browsing" problem. You can see this if the URL ends in a slash '/' rather than the name of a specific Web page (e.g. .htm or .html). If this is your problem, then you have no option but to access individual Web pages for that Web site directly.

It is possible that there should be some content in the directory, but there is none there yet. For example if your ISP offers a 'Home Page' then you need to provide some content - usually HTML files - for the Home Page directory that your ISP assigns to you. Until the content is there, anyone trying to access your Home Page could encounter a 403 error. The solution is to upload the missing content - directly yourself or by providing it to your ISP. Once the content is in the directory, it also needs to be authorised for public access via the Internet. Your ISP should do this as a matter of course - if they do not, then they have missed a no-brainer step.

If your entire Web site is actually secured in some way (is not open at all to casual Internet users), then an 401 - Not authorized message could be expected. It is possible, but unlikely, that your Web server issues an 403 message instead.

Some Web servers may also issue an 403 error if they at one time hosted your site, but now no longer do so and can not or will not provide a redirection to a new URL. In this case it is not unusual for the 403 error to be returned instead of a more helpful error. So if you have recently changed any aspect of your Web site setup (e.g. switched ISPs), then a 403 message is a possibility. Obviously this message should disappear in time - typically within a week or two - as the Internet catches up with whatever change you have made.

If you think that the Web URL *should* be accessible to all and sundry on the Internet and you have not recently changed anything fundamental in your Web site setup, then an 403 message indicates a deeper problem. The first thing you can do is check your URL via a Web browser. This browser should be running on a computer to which you have never previously identified yourself in any way, and you should avoid authentication (passwords etc.) that you have used previously. Ideally all this should be done over a completely different Internet connection to any you have used before (e.g. a different ISP dial-up connection). In short, you are trying to get the same behaviour a total stranger would get if they surfed the Internet to your Web page URL.

If this type of browser check indicates no authority problems, then it is possible that your Web server (or surrounding systems) have been configured to disallow certain patterns of HTTP traffic. In other words, HTTP communication from a well-known Web browser is allowed, but automated communication from other systems is rejected with an 403 error code. This is unusual, but may indicate a very defensive security policy around your Web server.

Resolving 403 errors - CheckUpDown

The first question is whether the Web page for your URL is freely available to everyone on the Internet. If this is not the case, then you may need to provide two items 2. Web Site User ID and 3. Web Site Password for your CheckUpDown account - but only if your site uses HTTP Basic Authentication. The Web Master or other IT support people at your site will know what security and authentication is used.

If however your Web page is open to all comers and there have been no fundamental changes recently to how your Web site is hosted and accessed, then an 403 message should only appear if your Web server objects to some aspect of the access we are trying to get to your Web site. Because it indicates a fundamental authority problem, we can only resolve this by negotiation with the personnel responsible for security on and around your Web site. These discussions unfortunately may take some time, but can often be amicably resolved. You can assist by endorsing our service to your security personnel. Please contact us (email preferred) if you see persistent 403 errors, so that we can agree the best way to resolve them.

CheckUpDown logo
We monitor your site for errors like 403. Please click any of the buttons below for more information.
More about the service we provide Look at some examples of live accounts Try our service free for 90 days How much a LIVE account costs We respect your privacy More about our company and the Web sites we run
 

Our company also owns these other Web sites:

ContractDB logo A searchable database of skilled IT contractors/consultants. Clients can easily find computer contractors directly (no agents). Search engine matches contractors to client requirements. Site free to IT people, very low-cost to clients - pay only if satisfied. www.contractdb.com
Prospero Software Computer software and consultancy for Microsoft Windows and IBM AS/400 platforms. Utility and application software written in a variety of programming languages - particularly Java. Many free software offerings. www.prosperosoftware.co.uk
RecoverPDA logo Secure, confidential and low-cost recovery of your PDAs (Blackberries, handhelds, mobile phones etc.) when you lose them. Uses combination of SMS / Web / phone technologies. www.recoverpda.com.
Keysback logo Secure, confidential and low-cost recovery of your business keys (keyrings, keyfobs). www.keysback.co.uk. Uses combination of SMS / Web / phone technologies.
FLKS We run and support a small charity (Free Lessons for Knysna Scoolchildren) that provides free tuition for poor schoolchildren in Knysna, Republic of South Africa. www.flks.org
Prospero Associates Our top-level company site. www.prosperoassociates.com

Our valuable Internet domain names:  96.com logo 97.com logo 98.com logo328.com logo