Picto thématique

Rule n° 217 - The server sends a customised 403 “Forbidden” error page.

When the Internet user tries to consult a forbidden page (a request to display the contents of a directory, for example), the server does not send a 404 (not found) page but a 403 (forbidden) page, which is very unsympathetic. As in the case of error 404, this page can be customised with the colours of the site visited.

#Basics #Accessibility #Conception #Development #Server and performance


  • Reassure users that they are still on the same website.
  • Allow the webmaster to provide guidance to your users.
  • Inform users of the error encountered and of the server’s continuing operation.
  • Inform users that the problem isn't caused by their connectivity.


Modify the web server configuration to send the user to a customised page when access to the requested resource is not allowed.

If the main server configuration is not directly accessible and if the environment allows it, use a local configuration by directory. For example, the Apache environment authorises the creation of an .htaccess file containing directives relating to error handling: ErrorDocument 403 /mapage.html.


For each audited site:

  • Obtain a 403 error page, for this, you can remove the last part of the URL address of one of the images of the site to keep only the name of the directories present between the slashes of this address, for example: https: //www.example/com/img/. The page displayed should then be a 403 error page.
  • Check that the page returned does not correspond to the 403 page returned by default by the server (Apache, IIS, Nginx) but to a custom error page, with graphics that are consistent with the website in general.

By Opquast - Read the license

Discover Opquast training and certification

The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.

Opquast training has already allowed over 19,000 web professionals to have their skills certified. Train your teams, contact us

We offer a 1 hour free discovery module.