Error 403

403 Forbidden

The 403 Forbidden status code indicates that the client's request was understood by the server but cannot be fulfilled due to insufficient permissions to access the requested resource. For more details, refer to RFC 7231 ↗.

Common use cases

If you encounter a 403 error without the Cloudflare branding, this means that the error is being returned directly by the origin web server, not Cloudflare. This is typically related to permission rules set on your server. Common reasons for this error are:

• Permission rules configured on the origin web server (for example, in an Apache .htaccess file).
• Mod_security rules.
• IP deny rules, such as blocking traffic from certain IP ranges. Make sure that Cloudflare's IP ranges ↗ are not being blocked.

Cloudflare-specific information

Cloudflare may serve 403 responses in the following scenarios:

• WAF rules: The request violated a default WAF managed rule (enabled for all orange-clouded Cloudflare domains) or a custom WAF managed rule specific to your zone. For more information, refer to WAF Managed Rules.

• Security features: A 403 response with Cloudflare branding in the response body may be triggered by:

  • WAF Custom or Managed Rules with the challenge or block action.
  • Security Level settings, which default to Medium.
  • DDoS Protection, which is enabled by default on zones onboarded to Cloudflare, IP applications onboarded to Spectrum, and IP Prefixes onboarded to Magic Transit.
  • Most 1xxx Cloudflare error codes.
  • The Browser Integrity Check.
  • Validation Checks.

Cloudflare may also serve an unstyled 403 error page in specific cases. These errors are not logged because they occur early in Cloudflare's infrastructure, before domain configuration is loaded. An example is:

• SNI ↗: A 403 error is returned when the client sends a host that does not match the SNI (Server Name Indication).