I don't remember how many times I have always mixed up between these http status codes. It always slipped from my comprehension that the two status codes carry different meaning until one day when I bothered to dig the difference between their meaning. To no surprise, I even see senior professionals bungling the use cases of these status codes. I don't blame anyone. Nobody blamed me when it never rang any sense in me.
But we've once or twice sent back the 403 (Forbidden) HTTP Error code back from the server lest we have failed a client request.But it also has a near identical sibling disguised as 401 (Unauthorized). Surely, they mean the same thing!! Let's shift the lens and take a closer look.
What the http status code standards say
According to RFC Standards RFC7235 on 401(Unauthorized)
The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource.
In simpler terms: if you are not signed in(logged in), then you are denied from viewing/accessing certain resources unless you authenticate.
About 403 (Forbidden), the standards say
The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it.
In simpler terms: you may be authenticated but you are not allowed to access certain resources. Reauthenticating yourself will not grant you access to restricted resources .
Comparing the two error codes, we can tell that 401(Unauthorized) is temporary as Authenticating yourself will fix the problem.
On the other hand, 403 forbidden is permanent as being stripped off access rights, will deny you access to the privileged actions or resources and you may need to contact the system administrator to restore or grant access rights to you.
Use Cases
403(forbidden) statuses can be returned when a user has successfully authenticated(signed in) but is trying to access restricted resources. For example; a logged in user with editor access rights trying to run actions restricted to user with admin access rights is permanently not allowed to execute those privileged actions.
401(unauthorized) can be returned when a user has not authenticated at all or by providing incorrect credentials. A lso note that, a user may provide correct credentials but malformed authorization procedures such as a malformed JsonWebToken or not including the word 'Bearer ' before a JsonWebToken my result to 401(unauthorized).
The naming is quite problematic where 401, the HTTP status code for authentication, calls itself unauthorized, when actually unauthorized should semantically be used to refer to 403, the http status codes for unauthorized resources.
In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource
Wrap up!
If you have come this far, I hope the article knacks clearly the difference between the two near identical status codes. If you found this helpful and may wish to extend anything raised here, don't hesitate to reach at my twitter handle @smitterhane.
Top comments (0)