Reference

What does HTTP 403 Forbidden actually mean? Blocked vs broken

6 min read · Published Jul 17, 2026
Contents · 7 sections
  1. The one-line definition
  2. 403 vs 401 vs Cloudflare error 1020
  3. Five different things a 403 can mean
  4. The classic signature: 403 in curl, 200 in a browser
  5. How a multi-method check makes the block visible
  6. Fixes by cause
  7. FAQ

A 403 Forbidden response means the server received your request, understood exactly what you asked for, and refused to serve it. Nothing timed out and nothing crashed. That makes 403 fundamentally different from the 5xx family: the site is not broken, it is blocking. The diagnostic work is figuring out which layer made that decision, and whether it was aimed at you specifically.

The one-line definition

403 Forbidden is an HTTP response status code indicating the server understood the request but refuses to fulfill it.

Per RFC 9110, the refusal is about authorization or policy, not about the request being malformed. The spec adds a detail that matters in practice: if the request already included credentials, the server considered them and refused anyway, so repeating the same request with the same credentials will not change the answer. A 403 is a closed door, not a broken one.

403 vs 401 vs Cloudflare error 1020

CodeMessage in plain termsTypical sourceDoes retrying help?
401 Unauthorized"I don't know who you are."Missing or invalid credentialsYes, log in or send a valid key
403 Forbidden"I know what you want, and no."Policy, permissions, or a security layerNot without a policy or account change
Cloudflare 1020"The owner's firewall rule matched you."A Cloudflare WAF rule, served with HTTP 403Not from the same IP or client

Cloudflare's error 1020 deserves the extra row because it is the most common branded 403 on the web: the HTTP status is 403, but the page body says "Access denied, error 1020," meaning a firewall rule the site owner configured matched your request. It has its own diagnostic path, covered in our error 1020 guide.

Five different things a 403 can mean

The same three-digit code is emitted by at least five unrelated mechanisms, and working out which one you hit is most of the fix.

The classic signature: 403 in curl, 200 in a browser

The most common 403 confusion looks like this:

curl -I https://example.com/
HTTP/2 403

while the same URL renders instantly in Chrome. Nothing is down. A filter in front of the site is classifying requests, and yours only passes when it looks like a human browser. curl announces itself with a User-Agent of curl/8.x, sends a minimal header set, and produces a TLS fingerprint no consumer browser produces. Bot filters key on exactly those signals.

The reverse also happens: a script with a spoofed browser User-Agent gets 200 on GET while every HEAD request gets 403, because the operator refused the HEAD method outright. Either way the lesson is the same, a single request type tells you almost nothing about whether a site is actually reachable.

How a multi-method check makes the block visible

isitdown.io probes every monitored site with 4 independent methods in parallel, every 5 minutes: an HTTP/1.1 request with strict TLS validation, an HTTP/2 request with relaxed TLS, a GET sent with a real browser User-Agent, and a HEAD sent with a curl User-Agent. The diversity is in the request types, not in geography, and that is deliberate: 403-class problems are request-type problems.

Read the pattern like this:

A mixed result, some methods passing and some failing, means the site is up but blocking or mishandling a specific request type. Incidents only open after 2 consecutive failed 5-minute rounds and resolve after 2 consecutive passes, so a one-off WAF hiccup never pages anyone. The full reasoning behind the four-method design is in multi-method checks explained, and you can test any domain right now at isitdown.io.

Fixes by cause

CauseIf you are a visitorIf you own the site
Auth stateLog out and back in, clear cookies for the site, regenerate the API keyReturn 401 for missing or invalid credentials, reserve 403 for genuine policy refusals
EntitlementConfirm your plan or role includes the resource, then ask an adminSay in the error body which permission is missing, silent 403s become support tickets
WAF or bot blockUse a normal browser, slow your request rate, drop automation-only headersTune the rule, allowlist known-good monitors and partners by token rather than by UA string
Geo or IP blockTurn the VPN off or pick a different exit, try another networkDocument which regions you block, use 451 where the block is a legal requirement
Hotlink protectionOpen the asset from the page it belongs toExempt your own domains and your monitoring from Referer checks

For owners, one rule pays for itself repeatedly: never let your WAF 403 your own monitoring. If your uptime checker reports 403 while customers see 200, every real incident afterwards hides inside that noise.

FAQ

Does a 403 mean the site is down?

No. A 403 is positive proof the server is up: it received your request, parsed it, and answered. The practical effect for you may be identical to an outage, but the fix lives on the policy side, not the infrastructure side.

Why do I get 403 on one network but not another?

IP-based filtering. VPN exits, cloud-provider ranges, and shared corporate NATs accumulate bad reputation because earlier traffic from those addresses misbehaved. Switching networks changes your source IP, and often the answer.

Is 403 ever returned by mistake?

Frequently. Overly aggressive WAF rules, expired allowlists, and clock skew that invalidates signed tokens all produce 403s the operator never intended. If a page you use daily suddenly returns 403 and a multi-method check shows a mixed result, report it, the operator likely tightened a rule without noticing the collateral damage.

Should monitoring treat 403 as a failure?

Treat it as a state change worth an alert, not automatically as an outage. A sudden 403 on all four methods right after a deploy usually means an auth or firewall change shipped by accident, which is exactly the kind of transition a webhook alert on every status change is built to catch.

Share 𝕏 Twitter LinkedIn
Keep reading

← All notes & guides