How to Fix 403 Forbidden in Magento 2 (Quick Steps)

Quick answer: A Magento 2 “403 Forbidden” usually means your web user doesn’t have read/execute access or the doc root/entry files have wrong permissions. Set standard Magento permissions (dirs 755, files 644), ensure correct owner:group for the web server user, clear caches, and reload Nginx/Apache. See the full commands below.

Symptoms

  • Browser shows 403 Forbidden or “You don’t have permission to access … on this server”.
  • Admin or storefront returns 403 after deploy, migration, or ownership change.
  • Error log shows permission/denied entries or missing index permission.

Common causes

  • Directories or files have incorrect mode (e.g., dirs 700 or files 600).
  • Wrong owner/group after Composer deploy, rsync/SFTP, or CI pipeline.
  • Server user (e.g., www-data, nginx, apache) lacks read/execute.
  • Nginx/Apache root or location config points to wrong path / missing index.
  • SELinux/AppArmor or chroot constraints (less common).

Prerequisites

  • SSH access with sudo privileges.
  • Magento docroot path (e.g., /var/www/html/magento).
  • Web server user & group (e.g., www-data:www-data on Ubuntu/Debian, nginx:nginx or apache:apache on CentOS/RHEL).

Fix steps (Linux CLI)

Run these from the Magento root directory. Replace <user>:<group> with your web server user & group.

1) Set correct ownership

cd /var/www/html/magento
sudo chown -R <user>:<group> .
# Example:
# sudo chown -R www-data:www-data .

2) Reset directory and file permissions

# Directories 755 (rwx for owner; rx for group/others)
find . -type d -exec chmod 755 {} \;

# Files 644 (rw for owner; r for group/others)
find . -type f -exec chmod 644 {} \;

3) Ensure executables stay executable

chmod u+x bin/magento

4) Give generated/var/pub the expected write access (owner = web user)

# If filesystem ownership matches the web user, 755/644 is typically enough.
# If you must use groups for write access:
sudo find var generated pub/static pub/media -type d -exec chmod 775 {} \;
sudo find var generated pub/static pub/media -type f -exec chmod 664 {} \;

5) Clear caches

bin/magento cache:flush

Note: Avoid using 777—this is insecure and can still fail with certain server configs.

Web server checks (Nginx/Apache)

Nginx

  • Verify root points to the Magento pub/ directory (production best practice).
  • Ensure index.php is listed in the index directive.
  • Reload: sudo nginx -t && sudo systemctl reload nginx

Apache

  • Set DocumentRoot to pub/ (or enable provided rewrites if serving from root).
  • Allow overrides for Magento dirs (AllowOverride All where .htaccess is needed).
  • Reload: sudo apachectl configtest && sudo systemctl reload apache2

Verify the fix

  1. Visit storefront and admin; 403 should be gone.
  2. Check server logs for lingering permission denials:
    # Nginx
    sudo tail -n 200 /var/log/nginx/error.log
    # Apache
    sudo tail -n 200 /var/log/apache2/error.log
  3. Run a quick static content deploy in production if needed:
    bin/magento maintenance:enable
    bin/magento setup:di:compile
    bin/magento setup:static-content:deploy -f
    bin/magento cache:flush
    bin/magento maintenance:disable

Prevention & best practices

  • Deploy as the web user (or fix ownership immediately post-deploy).
  • Keep docroot set to pub/ in production.
  • Use CI tasks to normalize permissions after Composer install or artifact upload.
  • Avoid 777; use correct owner/group and 775/664 where write is required.
  • Track permission drift with a post-deploy script or Magento Cleanup task.

Still stuck?

Get a free 15-minute fix session with a Magento expert.

Book now

One-click post-deploy permissions

Automate permission & cache tasks with our deployment checklist.

Download the checklist (PDF)

FAQ

What are the recommended Magento 2 permissions?+

Directories 755, files 644. For writable dirs (var, generated, pub/static, pub/media) you may use 775/664 when the web group needs write access.

Should I serve Magento from pub/?+

Yes—production best practice is to set docroot to pub/ for security and proper rewrite handling.

Does 403 mean my server is down?+

No. It indicates permission/authorization issues. Check ownership, modes, and web server config.

Will 777 fix it faster?+

Don’t use 777. It’s insecure and can still fail under certain security modules. Correct owner/group + 755/644 (or 775/664 where needed) is the right approach.

Categories: Magento 2 Questions & Answers
Talk to a Hyvä expert
Loading...