403 for POST Requests

Home Forums BulletProof Security Pro 403 for POST Requests

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #44702
    Fredel007
    Participant

    Hey guys,

    hope you may help.

    I am running Cloudflare and after flushing the cache all works good (so generally the wp-json seems to work / not being blocked), but after some time (e.g. 1/2 day) i get 403 errors for POST Requests by a Plugin.

    POST https://www.bergtour-online.de/wp-json/wordpress-popular-posts/v2/views/2451 403 (Forbidden) wpp.min.js?ver=7.2.0:4

    I feels like if cloudflare server have cached site and are making the requests they may be blocked, but tbd i have not so much experience in this 🙂 I created bypass & Whitelist for /wp-json/ in cloudflare.

    Do you have any idea / setting i may test in BPS Pro?

    Thanks a lot!

    #44703
    AITpro Admin
    Keymaster

    Are you using the BPS POST Attack Protection Bonus Custom Code > https://forum.ait-pro.com/forums/topic/post-request-protection-post-attack-protection-post-request-blocker/ If so, then delete it from Custom Code.

    #44704
    Fredel007
    Participant

    hey thanks for super fast reply as always.

    unfortunately not using that, just

    Security headers (optional)
    <IfModule mod_headers.c>
    Header always set X-Content-Type-Options “nosniff”
    Header always set X-Frame-Options “SAMEORIGIN”
    Header always set X-XSS-Protection “1; mode=block”
    Header always set Referrer-Policy “no-referrer-when-downgrade”
    </IfModule>

    but afaik that shouldn’t be it. any change i provide you the complete htaccess for quick look, or should i put a new one in for test?

    or any other setting i should do (whitelist etc. looking fine)

    thx so much!

     

    #44705
    AITpro Admin
    Keymaster

    If you are not using the BPS POST Attack Protection code then most likely ModSecurity installed on your web host is causing the 403 error.  BPS logs all 403 errors whether or not BPS is blocking something.  Another possibility is that a GET and a POST Request are being used together. ie GET Request to a POST Request, which I see more and more of lately. Seems like people don’t feel that following any sort of coding standards is important to do anymore.  If the 403 error was occurring constantly then I would have you do the BPS troubleshooting steps, but since it occurs randomly over a period of time then my guess is that the cache gets corrupted after X time and then ModSecurity blocks that corrupted cache situation.

    #44706
    Fredel007
    Participant

    ok thanks again!
    i just figured out it seems that problemn occurs only in privacy mode of browsers, which gives me more questions than before. do you have any recommendation what i should check, and sorry again its not so much BPS related then?

    thx again

    #44707
    AITpro Admin
    Keymaster

    If that is even possible to control then it would be a Cloudflare option setting.  ModSecurity will officially reach End of Life by 7-1-2025. It has been a nightmare for years and it is finally going into the trash bin.  Thank god

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.