# Install forbidden with Homebrew, Nix

Bypass 4xx HTTP response status codes and more. Version 13.4 via Homebrew; verified 2026-06-03.

## Install

```sh
sudo av install brew:forbidden
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install forbidden
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#forbidden
```

  Evidence: nixpkgs package indexes: pkgs/by-name/fo/forbidden/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:forbidden
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/forbidden>
- **Version:** 13.4
- **Source summary:** Bypass 4xx HTTP response status codes and more
- **Homepage:** <https://github.com/ivan-sincek/forbidden>
- **Repository:** <https://github.com/ivan-sincek/forbidden>
- **Upstream docs:** <https://github.com/ivan-sincek/forbidden>
- **License:** MIT
- **Source archive:** <https://files.pythonhosted.org/packages/9b/aa/98fc3ee28aac41cae341a197858ff6af5d79e40dcd45c8a6e37b1fdbfd19/forbidden-13.4.tar.gz>
- **Last updated:** 2026-06-03T10:43:07Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- forbidden (cli)
- stresser (cli)
- forbidden (alias)
- stresser (alias)

## Dependencies

- certifi
- cffi
- cryptography
- curl
- openssl@3
- pycparser
- python@3.14

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 13.4
- Package-manager updated: 2026-06-03
- Local data: ok
- Upstream repository: https://github.com/ivan-sincek/forbidden
- info: No cached GitHub release or tag data was available.
## Project history and usage

Forbidden is a security testing CLI for attempting bypasses of 4xx HTTP response status codes and related web access-control behaviors. Its README describes separate forbidden and stresser commands and states that the tool is based on Python Requests, PycURL, and Python's HTTP client.

### Project history

The public project history available from official sources is mostly README-level rather than narrative. The maintained README documents a mature command set, a v13.4 build artifact in source-install instructions, and a roadmap of future tests such as hop-by-hop headers, User-Agent headers, cookies, HTTP smuggling, CRLF, Log4j, and AWS metadata SSRF.

### Adoption history

The README positions pip as the standard installation route and mentions a Homebrew formula as an alternative that is not maintained by the author. That combination places Forbidden in the common pentesting-tool distribution pattern of upstream Python packaging plus downstream CLI formulas.

### How it is used

Typical use is to supply a target URL and choose test groups such as protocols, methods, uploads, overrides, headers, path mutations, encodings, authentication bypasses, redirects, and parser tests. The README cautions about proxies normalizing URLs, rate limiting, anti-bot protections, and engine-specific behavior.

### Why package nerds care

Forbidden is package-nerd relevant as a compact example of a Python security CLI that depends on multiple HTTP engines to exercise edge cases that ordinary curl invocations cannot always produce, such as duplicate Host headers or requests without a Host header.

### Timeline

- v13.4: README source-install instructions reference building forbidden-13.4-py3-none-any.whl.
- Current README: Homebrew installation is documented as an alternative not maintained by the author.

### Related projects

- The README names Python Requests, PycURL, and Python HTTP Client as implementation engines and links to internal forbidden.py, test.py, and value.py files for the test definitions.

### Sources

- <https://github.com/ivan-sincek/forbidden>
- <https://raw.githubusercontent.com/ivan-sincek/forbidden/main/README.md>


## Security Notes

No matching local secret-handling manifest was found for forbidden. Nucleus package metadata is still published here so future coverage has a stable package URL.


## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** forbidden
- **Version Scheme:** 0
- **Revision:** 7
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - forbidden: normalized package name match | nixpkgs package indexes: pkgs/by-name/fo/forbidden/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [cffi](https://www.automicvault.com/pkg/brew/cffi/) - Runtime dependency declared by Homebrew.
- [curl](https://www.automicvault.com/pkg/brew/curl/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [ffuf](https://www.automicvault.com/pkg/brew/ffuf/) - Shares av.db curated category or tags: cli, pentesting, security, web-security.
- [gobuster](https://www.automicvault.com/pkg/brew/gobuster/) - Shares av.db curated category or tags: cli, security, web-security.
- [katana](https://www.automicvault.com/pkg/brew/katana/) - Shares av.db curated category or tags: cli, security, web-security.
- [dalfox](https://www.automicvault.com/pkg/brew/dalfox/) - Shares av.db curated category or tags: cli, security, web-security.
- [feroxbuster](https://www.automicvault.com/pkg/brew/feroxbuster/) - Shares av.db curated category or tags: cli, security, web-security.
- [jwt-hack](https://www.automicvault.com/pkg/brew/jwt-hack/) - Shares av.db curated category or tags: cli, pentesting, security.
- [ldeep](https://www.automicvault.com/pkg/brew/ldeep/) - Shares av.db curated category or tags: cli, pentesting, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [sigstore](https://www.automicvault.com/pkg/brew/sigstore/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, cryptography, openssl, openssl-3.
- [arjun](https://www.automicvault.com/pkg/brew/arjun/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, http, python, python-3-14.

## Combined YAML source

View the package source record on GitHub. [combined/forbidden.yml](https://github.com/automic-vault/db/blob/main/combined/forbidden.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
