403 Forbidden Checklist

Problem

The site or a specific path returns 403 Forbidden as the final response.

Symptoms

• Browsers show Access Denied or Forbidden messages.
• HTTP Check shows a final status code of 403.
• The issue only happens for certain IP ranges, countries, or clients.

Top 3 Causes

1. Origin permission or auth rules are wrong - File permissions, auth middleware, or allow/deny rules are blocking access.
2. A WAF or CDN rule blocks the request - Bot protection, geo restrictions, or firewall rules deny the request before the app handles it.
3. The request lands on the wrong host or route - The hostname or path resolves to a protected virtual host or placeholder page.

Diagnose with DechoNet

• HTTP Check to inspect the final status code, headers, and redirect path.
• IP Check to understand whether the request path looks like cloud, proxy, or VPN traffic.
• RDAP / WHOIS to confirm the domain routing context still matches the intended service setup.

Resolution Checklist

• Review origin access control, auth middleware, and directory or file permission settings.
• Inspect CDN or WAF firewall rules, bot management, and geo restrictions.
• If only some assets or routes fail, validate rewrite rules and file permissions for that path.
• Confirm the request is landing on the intended hostname and origin.
• Re-run HTTP Check after changes and verify that the final status code is no longer 403.

When to Escalate

• Escalate if WAF or CDN security rules are centrally managed outside your control.
• Escalate to the hosting provider if file permissions or access policy cannot be changed directly.