Use 403 Forbidden when a client has requested a resource that is inaccessible due to existing access controls. For example, if your app has an /admin route that should only be accessible to users with administrative rights, you can use 403 when a normal user requests the page.
GET /admin HTTP/1.1
...