[http-headers] 403 Forbidden vs 401 Unauthorized HTTP responses

TL;DR

  • 401: A refusal that has to do with authentication
  • 403: A refusal that has NOTHING to do with authentication

Practical Examples

If apache requires authentication (via .htaccess), and you hit Cancel, it will respond with a 401 Authorization Required

If nginx finds a file, but has no access rights (user/group) to read/access it, it will respond with 403 Forbidden

RFC (2616 Section 10)

401 Unauthorized (10.4.2)

Meaning 1: Need to authenticate

The request requires user authentication. ...

Meaning 2: Authentication insufficient

... If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. ...

403 Forbidden (10.4.4)

Meaning: Unrelated to authentication

... Authorization will not help ...

More details:

  • The server understood the request, but is refusing to fulfill it.

  • It SHOULD describe the reason for the refusal in the entity

  • The status code 404 (Not Found) can be used instead

    (If the server wants to keep this information from client)

Examples related to http-headers

Set cookies for cross origin requests Adding a HTTP header to the Angular HttpClient doesn't send the header, why? Passing headers with axios POST request What is HTTP "Host" header? CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response Using Axios GET with Authorization Header in React-Native App Axios get access to response header fields Custom header to HttpClient request Send multipart/form-data files with angular using $http Best HTTP Authorization header type for JWT

Examples related to http-status-code-403

Nginx 403 error: directory index of [folder] is forbidden HTTP error 403 in Python 3 Web Scraping MVC4 HTTP Error 403.14 - Forbidden Error message "Forbidden You don't have permission to access / on this server" WAMP 403 Forbidden message on Windows 7 Apache VirtualHost 403 Forbidden Nginx 403 forbidden for all files Emulate a 403 error page 403 Forbidden vs 401 Unauthorized HTTP responses Apache gives me 403 Access Forbidden when DocumentRoot points to two different drives

Examples related to http-status-codes

Laravel - Return json along with http status code Spring: return @ResponseBody "ResponseEntity<List<JSONObject>>" HTTP status code 0 - Error Domain=NSURLErrorDomain? 400 vs 422 response to POST of data Python Request Post with param data HTTP Get with 204 No Content: Is that normal Throw HttpResponseException or return Request.CreateErrorResponse? Returning http status code from Web Api controller How to specify HTTP error code? How to get HTTP response code for a URL in Java?

Examples related to http-status-code-401

HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers 401 Unauthorized: Access is denied due to invalid credentials Server returned HTTP response code: 401 for URL: https 403 Forbidden vs 401 Unauthorized HTTP responses How do I get the HTTP status code with jQuery?

Examples related to http-response-codes

What is "406-Not Acceptable Response" in HTTP? 403 Forbidden vs 401 Unauthorized HTTP responses PHP: How to send HTTP response code?