|
|
|
|
|
|
by 9Ljdg6p8ZSzejt
758 days ago
|
|
|
It isn't that the codes are named wrongly. 401 Unauthorized means you don't have permission to access the page, whether you're authenticated or not. 403 Forbidden means you can never access the page, regardless of permissions. This is typical in multi-tenant setups or when a site is never accessible to unauthenticated users. The distinction is subtle but important, and developers often misuse these codes, serving 403 Forbidden for authorization issues instead of indicating a permanent block. |
|
|
> Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response.
[0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status#cli...