Troubleshooting 403 Forbidden Responses

Purpose

The purpose of this procedure is to troubleshoot 403 Forbidden responses. A 403 Forbidden indicates that the requested content was found but the requester is unauthorized.

Source

Narrow down the source of the issue by requesting the asset directly from the origin server. Make sure that this request uses the same relative path and file name as the corresponding CDN or edge CNAME URL.

Sample CDN URL:

http://wpc.0001.edgecastcdn.net/000001/marketing/productX/brochure.pdf

Sample direct request:

http://www.mydomain.com/marketing/productX/brochure.pdf

Checklist:

Request the asset directly from the origin server.

 

Firewall

Our edge servers need to be able to communicate with the web servers associated with a customer origin configuration. The location where our IP blocks are listed varies according to whether you are using the latest version of our customer origin configuration.

  • Customer Origin Group: View them from the Whitelist IP Blocks page.

    Learn more.

  • Customer Origin (Legacy): View them from the Whitelist IP Blocks section of the Customer Origin page.

    Learn more.

Checklist:

Verify that all our IP blocks can access your web servers.

CDN Security

Content may be secured through any of the following CDN platform/features:

The above CDN security mechanisms may generate a 403 Forbidden response for unauthorized requests.

Checklist:

Check whether CDN security has been applied to the request.

For each applicable CDN security mechanism, verify that the request should be allowed.

  • Token-Based Authentication: Decrypt the token value defined in the request. Verify that the request meets the token's security requirements.
    • If the primary encryption key doesn't work, then try the backup key. If both don't work or a backup key doesn't exist, then an old or invalid key was used to generate the token.

  • Country Filtering: Verify that the request originated from an authorized country.
  • Web Application Firewall: Verify that the request was not improperly screened. Use the dashboard to view detailed information on why the request was screened.
  • Rules Engine: Check whether the request met the match conditions for a rule containing a security feature.