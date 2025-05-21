Error 403
The
403 Forbidden status code indicates that the client's request was understood by the server but cannot be fulfilled due to insufficient permissions to access the requested resource.
For more details, refer to RFC 7231 ↗.
If you encounter a
403 error without the Cloudflare branding, this means that the error is being returned directly by the origin web server, not Cloudflare. This is typically related to permission rules set on your server. Common reasons for this error are:
- Permission rules configured on the origin web server (for example, in an Apache
.htaccessfile).
- Mod_security rules.
- IP deny rules, such as blocking traffic from certain IP ranges. Make sure that Cloudflare's IP ranges ↗ are not being blocked.
Cloudflare may serve
403 responses in the following scenarios:
-
WAF rules: The request violated a default WAF managed rule (enabled for all orange-clouded Cloudflare domains) or a custom WAF managed rule specific to your zone. For more information, refer to WAF Managed Rules.
-
Security features: A
403response with Cloudflare branding in the response body may be triggered by:
- WAF Custom or Managed Rules with the challenge or block action.
- Security Level settings, which default to Medium.
- DDoS Protection, which is enabled by default on zones onboarded to Cloudflare, IP applications onboarded to Spectrum, and IP Prefixes onboarded to Magic Transit.
- Most 1xxx Cloudflare error codes.
- The Browser Integrity Check.
- Validation Checks.
Cloudflare may also serve an unstyled
403 error page in specific cases. These errors are not logged because they occur early in Cloudflare's infrastructure, before domain configuration is loaded. An example is:
- SNI ↗: A
403error is returned when the client sends a host that does not match the SNI (Server Name Indication).
