Troubleshooting 403 Forbidden Responses

Purpose

The purpose of this procedure is to troubleshoot 403 Forbidden responses. A 403 Forbidden indicates that the requested content was found but the requester is unauthorized.

Source

Narrow down the source of the issue by requesting the asset directly from the origin server. Make sure that this request uses the same relative path and file name as the corresponding CDN or edge CNAME URL.

Sample CDN URL:

Sample direct request:

Checklist:

Request the asset directly from the origin server.

• 403 Forbidden: Check for the following items:

  Verify that the request URL points to an assetA file is the most commonly known example of an asset. Refers to any collection of data that is typically stored as a single unit on a storage unit (e.g., disk drive). An example of an asset that is not physically stored on a disk drive occurs when dynamically generated content is not cached..

  Verify that the web server has been configured to allow the request.

• 2xx: Proceed to the next step.

 

Firewall

Our edge servers need to be able to communicate with the web servers associated with a customer origin configuration. The location where our IP blocks are listed varies according to whether you are using the latest version of our customer origin configuration.

• Customer Origin Group: View them from the Whitelist IP Blocks page.

  Learn more.

• Customer Origin (Legacy): View them from the Whitelist IP Blocks section of the Customer Origin page.

  Learn more.

Checklist:

Verify that all our IP blocks can access your web servers.

CDN Security

Content may be secured through any of the following CDN platform/features:

• Token-Based AuthenticationThe Token-Based Authentication feature enforces authentication prior to content delivery. Authentication takes place via an encoded token value that must be included in the request URL. This token value is then decrypted on an edge server. The requested content will only be delivered when the user meets the requirement(s) defined in the token.: Key information:
  • Directories are secured recursively.
  • The deletion of the primary and backup keys does not deactivate Token-Based Authentication.
• Country FilteringThis feature restricts access according to the country from which content was requested.

• Rules EngineAllows the customization of how requests are handled by our CDN service. It may be used to override the default response provided by an origin server, CDN settings, and the default edge server behavior.:

  • Deny Access (403) feature
  • Token Auth feature
• Web Application Firewall

The above CDN security mechanisms may generate a 403 Forbidden response for unauthorized requests.

Checklist:

Check whether CDN security has been applied to the request.

For each applicable CDN security mechanism, verify that the request should be allowed.

• Token-Based Authentication: Decrypt the token value defined in the request. Verify that the request meets the token's security requirements.

  • If the primary encryption key doesn't work, then try the backup key. If both don't work or a backup key doesn't exist, then an old or invalid key was used to generate the token.

• Country Filtering: Verify that the request originated from an authorized country.
• Web Application Firewall: Verify that the request was not improperly screened. Use the dashboard to view detailed information on why the request was screened.
• Rules Engine: Check whether the request met the match conditions for a rule containing a security feature.