What is the simplest way to tell 401 and 403 apart?

Ask whether logging in would help. If valid credentials could grant access, it is a 401 (not authenticated). If the user is already known and still blocked, it is a 403 (no permission).

Can a 403 hurt my SEO?

Yes. If a firewall or CDN returns 403 to search engine crawlers, the affected pages cannot be indexed and may drop from search results. Check that bot-blocking rules are not catching legitimate crawlers.

Should a missing page return 401 or 403?

Neither. A missing page should return 404 or 410. A 401 and 403 are about access control, not existence, so use them only when the resource exists but the request is refused.

401 vs 403: Unauthorized or Forbidden, Explained

401 vs 403

A 401 and a 403 both refuse access, which is why they get confused. The distinction is about authentication versus permission. A 401 says the server does not know who you are; a 403 says it knows exactly who you are and you are still not allowed in.

Getting the right one back matters because each points at a different fix, and on a public site either can accidentally block the pages you want crawled.

At a glance

Aspect	401	403
Meaning	Unauthorized	Forbidden
Question it answers	Who are you? (not authenticated)	Are you allowed? (no permission)
Will logging in help?	Yes, valid credentials may grant access	No, the account simply lacks permission
Typical trigger	Missing or invalid credentials	Valid user, insufficient rights or a block rule
SEO risk	Login walls hiding content from crawlers	Firewall or CDN rules blocking legitimate bots

When a 401 is correct

A 401 is right when the request lacks valid authentication. The client has not proven who it is, so the server cannot act, and supplying correct credentials should resolve it. The response should include a WWW-Authenticate header describing how to authenticate.

On a public site, an accidental 401 usually means content sits behind a login it should not, hiding it from both visitors and crawlers.

When a 403 is correct

A 403 is right when the server knows who the client is and still refuses the request. The credentials are fine; the account simply lacks the rights, or a rule blocks the request outright.

The common SEO failure is a firewall, CDN, or bot rule that returns 403 to legitimate crawlers, quietly deindexing pages. If important URLs return 403 to search engines, check those rules first.

Frequently asked questions

What is the simplest way to tell 401 and 403 apart?: Ask whether logging in would help. If valid credentials could grant access, it is a 401 (not authenticated). If the user is already known and still blocked, it is a 403 (no permission).
Can a 403 hurt my SEO?: Yes. If a firewall or CDN returns 403 to search engine crawlers, the affected pages cannot be indexed and may drop from search results. Check that bot-blocking rules are not catching legitimate crawlers.
Should a missing page return 401 or 403?: Neither. A missing page should return 404 or 410. A 401 and 403 are about access control, not existence, so use them only when the resource exists but the request is refused.