HTTP status code 403 (Forbidden) is in the client errors (4xx) range. However, there are valid reasons for a site under test to return a 403 status, so reporting it as an error would be a false positive.
How should it be reported though? There is a risk that the test was misconfigured and the 403 is preventing parts of the site from being tested; counting requests resulting in 403 as passed would hide such problems. So it might be worth adding a separate category for this that is neither passed nor failed.
Another question is whether to check the document body by default. I think this would depend on whether the error page is generated by the software under test or by a web server in front of it. See issue #7.
HTTP status code 403 (Forbidden) is in the client errors (4xx) range. However, there are valid reasons for a site under test to return a 403 status, so reporting it as an error would be a false positive.
How should it be reported though? There is a risk that the test was misconfigured and the 403 is preventing parts of the site from being tested; counting requests resulting in 403 as passed would hide such problems. So it might be worth adding a separate category for this that is neither passed nor failed.
Another question is whether to check the document body by default. I think this would depend on whether the error page is generated by the software under test or by a web server in front of it. See issue #7.