Difference between 401 and 403 HTTP status codes
One of the most commonly asked question in the interview and the very fact that meaning of the words ‘Forbidden’ and ‘Un-authorized’ are quite similar yet distinct.
Firstly, lets be clear with the dictionary meaning of both the words.
Unauthorized:
Forbidden:
Unauthorized simply means you are not authorized to perform certain activities until your identity is verified. Forbidden means you are identified but not authenticated with certain levels of permission to do an activity.
Let’s correlate it with the HTTP status codes 401 and 403.
401 (Unauthorized):
The most up to date RFC Standard defining 401 (Unauthorized) is RFC 7235
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The user agent MAY repeat the request with a new or replaced Authorization header field.
For eg. if you directly enter a link in the browser which is supposed to be accessed only when you are logged in, the the server will return HTTP 401 response. It means that you tried to access an information for which you must be authenticated first.
401 usually means that your request lacks valid authentication credentials. The server doesn’t know who you are!
403 (Forbidden):
403 (Forbidden) is most recently defined in RFC 7231
The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. If authentication credentials were provided in the request, the server considers them insufficient to grant access.
For eg. you are trying to access a link which is meant only for admin, then the server would return HTTP 403, which means you are not authorized to access the given link.
403 would usually mean that your credentials are valid and the server recognizes you but you don’t have the authority to request/update the data.
A important thing to note here:
The official specification is not enforced in any way. The developers can override the base implementation and assign whichever code they want as responses.
Happy Learning! :)
