403 error
why i get 403 error when trying to fetch subdomain.example.com
that has origin rule ?
18 Replies
i use this #why i get this error
fetch from what? A Worker? something else? What's the full page?
i fetch the subdomain.example.com
i get error
That forbidden is being returned by your Express server, as shown in the x-powered-by and cf-cache-status (being present) headers
you'll have to debug why it is returning Forbidden, but it's not CF that is doing it
what maybe causes this
@chaika.me also another thing
I have a route /status send the auth status
if i visit using subdomain.example.com it gives the auth status
and if visited using ip:port i gets unauthorized
i think they must be the same
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
My vps ip
Why the response is different
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
I’m not using nginx
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
I’m using the cloudflare origin server rules
How can i make this ?
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
If i open the api on my browser it works but when I fetch it i get error 403
Unknown User•2y ago
Message Not Public
Sign In & Join Server To View
No , using my front-end nextjs
@chaika.me @seanmmitchell any one know how to fix this
Again, it's express sending it, not CF. Help with origin servers is limited -- I don't know express.
A quick google search about 403s with express results in this:
https://stackoverflow.com/questions/50904729/403-forbidden-on-express-cant-accept-authorization-header
If the OPTIONS request from CORS is the one that gets 403'd, then that is why it works fine when visiting directly. CORS Options/Prelight Requests don't contain auth headers, so if your API requires Auth, then you need to modify Express to send back cors headers/204 on the options request, which you can do manually or use some pre-existing package like expressjs/cors.
Stack Overflow
403 forbidden on express. Can't accept Authorization header
I have a REST Api, and all endpoints must send a response when the user has an authentication token (I use the jwt token).
everything works fine when I test my code using postman, but from front not
I figured out that connect.sid cookie by express-session
is saved only in the subdomain