macOS
brew install forbiddenlocal Homebrew formula metadata
brew
Bypass 4xx HTTP response status codes and more. Version 13.4 via Homebrew; verified 2026-06-03.
install
brew install forbiddenlocal Homebrew formula metadata
nix profile install nixpkgs#forbiddennixpkgs package indexes · pkgs/by-name/fo/forbidden/package.nix · source: api.github.com
overview
Bypass 4xx HTTP response status codes and more
history
Forbidden is a security testing CLI for attempting bypasses of 4xx HTTP response status codes and related web access-control behaviors. Its README describes separate forbidden and stresser commands and states that the tool is based on Python Requests, PycURL, and Python's HTTP client.
The public project history available from official sources is mostly README-level rather than narrative. The maintained README documents a mature command set, a v13.4 build artifact in source-install instructions, and a roadmap of future tests such as hop-by-hop headers, User-Agent headers, cookies, HTTP smuggling, CRLF, Log4j, and AWS metadata SSRF.
The README positions pip as the standard installation route and mentions a Homebrew formula as an alternative that is not maintained by the author. That combination places Forbidden in the common pentesting-tool distribution pattern of upstream Python packaging plus downstream CLI formulas.
Typical use is to supply a target URL and choose test groups such as protocols, methods, uploads, overrides, headers, path mutations, encodings, authentication bypasses, redirects, and parser tests. The README cautions about proxies normalizing URLs, rate limiting, anti-bot protections, and engine-specific behavior.
Forbidden is package-nerd relevant as a compact example of a Python security CLI that depends on multiple HTTP engines to exercise edge cases that ordinary curl invocations cannot always produce, such as duplicate Host headers or requests without a Host header.
security posture
No matching local secret-handling manifest was found for forbidden. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
forbidden | cli | global executable | |
stresser | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/ivan-sincek/forbidden
install metadata
| Package key | brew:forbidden |
|---|---|
| Version | 13.4 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/forbidden |
| Homepage | https://github.com/ivan-sincek/forbidden |
| Repository | https://github.com/ivan-sincek/forbidden |
| Upstream docs | https://github.com/ivan-sincek/forbidden |
| License | MIT |
| Source archive | https://files.pythonhosted.org/packages/9b/aa/98fc3ee28aac41cae341a197858ff6af5d79e40dcd45c8a6e37b1fdbfd19/forbidden-13.4.tar.gz |
| Last updated | 2026-06-03T10:43:07Z |
| Pulse | updated |
| Dependencies | certifi, cffi, cryptography, curl, openssl@3, pycparser, python@3.14 |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | forbidden |
| Version Scheme | 0 |
| Revision | 7 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
forbidden
nix profile install nixpkgs#forbiddensource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.