403 Forbidden Error – Causes and Fixes

You spend months, working day in and out coding your website and it is finally time to test it. You type the URL of the website in a browser and hit enter, only to be slapped back with a 403 Forbidden error. Can be very frustrating for a web designer.

403 Forbidden Error-Causes and Fixes

403 Forbidden error is an HTTP status code error, that is displayed on the browser on which you’re accessing the website. What the error is essentially telling you is, your request reached the web server, was authenticated and processed, but the server chose to do nothing with your request because you were forbidden from accessing that particular page. Some 403 forbidden errors are configured into a website by design, for example the website’s designer could code the login page to redirect to a 403 forbidden error if wrong credentials are entered. But what do we do when a website throws a 403 Forbidden error for a page that was not configured to do so?

As we work through each cause and solution, keep in mind this simple flow of data from a requesting computer to a web server: A user types the website’s URL and hits enter. The request is directed to the sites web server. The web server hosts directories, in which admins create folders and files that contain the webpage’s code. Once the request reaches the desired file, the server renders the code and sends it back to the requester.

Let’s look at some common causes for the 403 forbidden error and how to fix them:

No Content in the Root Directory:

A web server is coded to direct all incoming connections first to the root directory, which is usually named httpdocs (sometimes htdocs as on WordPress). When uploading content onto a web server, all files related to the webpage must be uploaded to the httpdocs folder, or to whichever is the root folder of the web server. If the homepage, or a page that a link redirects to is not on the root directory, a 403 forbidden error is returned.

Login to your web server and navigate to the directories page. Access the httpdocs folder and confirm all files related to your website are correctly uploaded here. If any file is missing, upload it and the site should return to normal.

No Content in the Root Directory

No Index Page:

After the incoming request is directed to the httpdocs directory, it looks for the index page. By convention, the index page hosts the code for the homepage and must be uploaded into the correct directory (root directory) and spelled exactly as index.html or index.php (extension depending on if the code is in HTML or PHP). If the naming convention of the index page is wrong, or if the page is missing all together, it will result in a 403 forbidden error.

To verify if this is the cause and to fix it, login to the web server and navigate to the root directory. In here, look for the index page. If the homepage is uploaded with a different name, say home.html, simply rename it to index.html. If the spelling is incorrect, rename it to index.html or index.php. A correctly created and placed index file looks like this:

No Index Page


A very common reason for 403 forbidden errors, is wrong access permissions set on a file or directory on the web server. The admin has rights to modify the access level on each file and/or directory, to allow or restrict certain groups from accessing it. The following are recommended permissions:
Directories/folders/executable files: 755
Images/Media/Static HTML files: 644

Each set of numbers denote the permission level. Read carries a value of 4, Write of 2 and Execute of 1. The image below gives clarity on what permissions each set of numbers allow:

755 Directory Permission
644 Directory Permission

Of course, an admin can modify the permissions as they see fit, but unchecking the read access for any group will result in a 403 forbidden error for that page/file when accessed by that group.

Hidden Pages:

If a particular file or directory’s permission level (discussed earlier) is set to 000, it is not accessible over the internet. If a user clicks a link and is taken to a page whose permission on the web server is set to 000, the user receives a 403 forbidden error.

To fix this, from the error page first determine which file was being accessed, then navigate to that file in the root directory of the web server and check its permissions. If it is 000, set it to 755 or 644.

Mod Security Installation:

Mod Security is a Web Application Firewall that can be installed on various web servers like Apache, IIS and Nginx. Mod security is essentially a cyber security solution to protect websites against cross-site scripting, SQL injection, Trojans, session hijacks etc. It works on the basis of various coded parameters that admins have access to modify.

If mod security detects an incoming request as a threat, the request is killed and a 403 forbidden error is returned. To confirm, check mod security’s logs. If the 403 forbidden error was a result of mod security’s intervention, the log will give clear details as to which parameter caused the error. Modifying the SecRuleEngine parameter usually fixes this error.