getting 403 Forbidden on api calls
i enabled Clouldflare services to my website 2 days ago, and i was using API to Post content on the website, suddenly all the api call returning 403 Forbidden
18 Replies
@Chaika
@anyone??
pls no random pinging
403 is vague, I would check under CF Dash -> your site -> Security -> Events for any blocks there & https://community.cloudflare.com/t/community-tip-fixing-error-403-forbidden/53308
Cloudflare Community
Community Tip - Fixing Error 403 Forbidden
Error Try the suggestions in this Community Tip to help you fix Error 403 Forbidden. Background A 403 Forbidden Error is a client side error that means that the client sent something the origin was unable to process. With the exception of requests that violate WAF rules or subdomains that are not covered by a certificate, Cloudflare does not ...
Sorry for directly mention you, but I tried all the tips of fixing, even I also added a waf rule to skip everything with my IP it still 403
You can't skip everything, for example Bot Fight Mode (Free version - You can skip Super Bot Fight Mode which is the Paid version). I would check under Security -> Events to see if CF really is the one blocking it/what specific service first. I would also check the response headers, if it contains CF-Cache-Status it's from your origin rather then Cloudflare
the 403 is from CF, i can see the ray-id
this happens only when i use VPN
it was working fine for 2 days, and i didnt change anything
You can click on each event to expand it, but would need to find a block rather then a skip
well, do you have Bot Fight Mode (under Security -> Bots or via Magic Link: https://dash.cloudflare.com/?to=/:account/:zone/security/bots) on? Sounds more and more like it
Bot Fight Mode
is off
When you get a block page, you can filter in Security -> Events for that Ray ID
and just to clarify, by "using API to post Content on the website", the API does live on your domain, right? You're not talking about using the CF API or any other external api
no API is on my domain
not getting any event with rayId
If it just happened you might have to give it a second or adjust your time period to last 30 minutes
What's your setup? Are you using a specific host behind Cloudflare like WPEngine, or self-hosting your api?
I am using wordpress
the front website load fine, but the backend is denied access
data-cf-beacon='{"rayId":"826007451efdc3eb","r":1,"version":"2023.10.0","token":"db2a86f76e1248c6b5697f296a498cd4"}'
this is the rayID, correct?
curl debug trace
That 403 is coming from your origin, not Cloudflare
Your origin seems to be hostinger, they're returning it
You can tell because CF-Cache-Status exists, and because other origin response headers are there, like x-turbo-charged-by and platform