A 403 Forbidden is an HTTP status code returned by a web server when a user requests a resource and the server rejects the request. In other words, the server can be reached, but the server declined to allow access to the page. The message that most browsers display is misleading. Most people think its related to user access, but there are quite a few causes. In Microsoft IIS its common to see this response when directory listings are denied. Lets look at how to start troubleshooting 403 response codes.
This response is returned by the Apache web server when directory listings have been disabled or an .htaccess file is restricting access.
.htaccess files are commonly used in Apache to restrict access, so its very likely to be the cause. Digital Ocean has a great tutorial on configuring .htaccess files.
Also if Apache is functioning as a reverse proxy, the 403 is likely coming from the back end web server.
If the configured default document(s) are not present, IIS will attempt to do Directory Browsing. If Directory Browsing is disabled, which is the default configuration starting in IIS6, IIS will respond back with a 403.
With HTTP Modules in IIS7 its a lot easier to develop custom code that filters traffic. If a developer (Scott Hanselman has a great tutorial) has added an IP Restriction HttpModule in the <modules> section of the web.config, this will likely result in a 403 response under the right scenario, and could be difficult to find the cause. You can verify this by enabling FREB Tracing or by logging into the web server and connecting with the server’s address (not localhost), you’ll see the detailed message.
Microsoft IIS Sub Status Codes
The following sub status codes are returned by IIS to provide more detail as to why the request was rejected. In most scenarios you need to inspect the IIS log file to find the sub status code. An HTTP Trace tool like Fiddler will only show the 403 Reponse Code. Under the default logging configuration, the sub status code is in the 11th position.
- 403.1 – Execute access forbidden.
- 403.2 – Read access forbidden.
- 403.3 – Write access forbidden.
- 403.4 – SSL required.
- 403.5 – SSL 128 required.
- 403.6 – IP address rejected.
- 403.7 – Client certificate required.
- 403.8 – Site access denied.
- 403.9 – Too many users.
- 403.10 – Invalid configuration.
- 403.11 – Password change.
- 403.12 – Mapper denied access.
- 403.13 – Client certificate revoked.
- 403.14 – Directory listing denied.
- 403.15 – Client Access Licenses exceeded.
- 403.16 – Client certificate is untrusted or invalid.
- 403.17 – Client certificate has expired or is not yet valid.
- 403.18 – Cannot execute request from that application pool.