These two codes tell you why a web request was blocked. They help you understand if you need to log in or if you just can't access something.
HTTP/1.1 401 Unauthorized HTTP/1.1 403 Forbidden
401 Unauthorized means you must log in or provide valid credentials.
403 Forbidden means you are logged in but not allowed to access this resource.
HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="Access to the site"
HTTP/1.1 403 Forbidden Content-Type: text/html <html><body><h1>Access Denied</h1></body></html>
This small web app checks if you send a token. If you send no token, it returns 401. If you send a wrong token, it returns 403. If the token is correct, it shows a secret message.
from flask import Flask, request, abort app = Flask(__name__) @app.route('/secret') def secret(): auth = request.headers.get('Authorization') if not auth: abort(401) # No login info if auth != 'Bearer validtoken': abort(403) # Logged in but no permission return 'Welcome to the secret area!' if __name__ == '__main__': app.run(debug=True)
401 means "You need to prove who you are".
403 means "I know who you are, but you can't do this".
Always use these codes correctly to help users and developers understand access problems.
401 Unauthorized means no or bad login info.
403 Forbidden means logged in but no permission.
Use these codes to guide users on what to do next.