HTTP 403 Forbidden means the server understood your request but refuses to fulfill it — you're not authorized to see the resource, and unlike a 401, authenticating won't change the answer. For scrapers, a 403 is most often an anti-bot verdict, not a permissions problem.
A 401 says "authenticate and try again"; a 403 says "I know who you are — or don't care — and the answer is no." A 404 claims the resource doesn't exist (sometimes used to hide private pages), and a 429 objects only to your request rate. The distinctions matter for scrapers because each code prescribes a different fix: credentials, a different URL, slower pacing — or, for the 403, a different identity.
Sites also serve 403s deliberately as an anti-bot response: Cloudflare, Akamai, and similar systems return 403 (often with a challenge or block page in the body) when a request's fingerprint, IP reputation, or behavior scores as automated. The status code is the same; the cause is bot detection, not file permissions.
The classic puzzle — the page loads fine in Chrome, but your script or server gets 403 — is almost always a fingerprint gap. Default HTTP-library identifiers (python-requests, curl), a datacenter IP where a home connection is expected, a missing or contradictory header set, or a TLS handshake that doesn't match the claimed browser will each trigger the block, and they compound.
Diagnosis order: check the response body for an anti-bot vendor's block page; try a real browser user agent with complete headers; try a residential IP; and if the block persists, the site is fingerprinting deeper layers — TLS or JavaScript execution — which is the point where a plain HTTP client stops being enough.
How Crawlora handles this
Crawlora treats 403s as its problem, not yours: requests route through matched browser fingerprints and appropriate IP types, blocked attempts are retried through different identities automatically, and pay-on-success billing means an attempt that ends in a 403 doesn't consume your credits.
Glossary
FAQ
Work up the identity stack: send a current browser user agent with a complete, consistent header set; switch from a datacenter to a residential IP; and if the block persists, the site is checking TLS fingerprints or JavaScript execution, which requires a real browser engine or a scraping API that runs one.
A 401 Unauthorized means authentication is missing or wrong — supplying valid credentials can fix it. A 403 Forbidden means the server refuses regardless; for public pages served to browsers but not scripts, that refusal is usually bot detection rather than a permissions rule.
Because the site scores the two requests differently: your browser presents a coherent fingerprint from a residential IP, while the script presents a library identifier, sparse headers, and often a datacenter IP. The 403 is a bot-score verdict on those differences.
Browse Crawlora APIs, test a request in Playground, and move from scraping infrastructure work to production data workflows.