Hello, I maintain a set of free HTTP diagnostic tools at DNS Robot (https://dnsrobot.net<https://dnsrobot.net/>) and wanted to share some common Apache misconfigurations I have encountered that cause unexpected 401 and 403 errors, in case it helps others on this list.
1. Misplaced AuthType directives — placing AuthType Basic and Require valid-user in the root .htaccess instead of limiting it to /admin/ or a specific <Directory> block. This forces authentication on every page, including public content and Googlebot requests (which kills SEO). 2. Incorrect ownership after deployment — after deploying with rsync or git pull, file ownership changes to the deploying user instead of www-data. Files are readable by the owner but not by the Apache worker process. Fix: chown -R www-data:www-data /var/www/html/ after every deploy. 3. 403 on directories without DirectoryIndex — when Options -Indexes is set (correctly, for security) but a directory has no index.html or index.php. Apache returns 403 instead of 404, which confuses both users and monitoring tools. 4. SELinux silently causing 403 on CentOS/RHEL — file permissions show 755/644 but Apache still returns 403. The fix is chcon -R -t httpd_sys_content_t /var/www/html/ to set the correct SELinux context. For debugging these issues, inspecting the response headers is often the fastest path. Our HTTP Headers tool (https://dnsrobot.net/http-headers) lets you check any URL's status code and response headers instantly, which helps pinpoint whether the 401/403 is coming from Apache, a reverse proxy, or a WAF like mod_security. Has anyone else run into edge cases with Apache auth configurations they would like to share? Best regards, Shaik Vahid DNS Robot — https://dnsrobot.net<https://dnsrobot.net/> Free DNS & Network Diagnostic Tools
