Aloha ;)

Vielleicht sollten wir alle in Zukunft zunächst mal Primärquellen lesen.

Jedenfalls ist der 403er offiziell so definiert:

The 403 (Forbidden) status code indicates that the server understood
   the request but refuses to authorize it.  A server that wishes to
   make public why the request has been forbidden can describe that
   reason in the response payload (if any).

If authentication credentials were provided in the request, the
   server considers them insufficient to grant access.  The client
   SHOULD NOT automatically repeat the request with the same
   credentials.  The client MAY repeat the request with new or different
   credentials.  However, a request might be forbidden for reasons
   unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a
   forbidden target resource MAY instead respond with a status code of
   404 (Not Found).

(RFC 7231)

Der 403er passt also entgegen einiger Antworten tatsächlich doch laut Definition auf das Problem.

Auch noch dazu - eine ziemlich gute Erklärung (Quelle):

A clear explanation from Daniel Irvine :

401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

This is a response generally returned by your web server, not your web application.

It’s also something very temporary; the server is asking you to try again.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

Ach ja, und @bubble: Das von dir verlinkte W3C-Dokument ist nicht etwa falsch, sondern bezieht sich auf eine veraltete RFC (die RFC 2616). Diese wurde durch von mir verlinkte RFC 7231 abgelöst. Die Infos sind also nur inzwischen falsch, da veraltet.

Grüße,

RIDER