Error 403 on all AJAX calls

Error message is like this:

WARNING: The last response from your WordPress server did not include the confirmation header that should be in all valid Font Awesome responses. This is a clue that some code from another theme or plugin is acting badly and causing the wrong headers to be sent.

And also the call to /wp-json/font-awesome/v1/conflict-detection/until throws a 403 error (Failed to load resource: the server responded with a status of 403)

@fidoboy in my experience, when this “lack of confirmation header” comes up, it’s sometimes because a plugin or theme other than the Font Awesome plugin is acting in an expected way during these requests and is emitting some output to the request that is unexpected. Another plugin might assume that it’s operating in the context of a request that has an HTML response, instead of a REST API context where a JSON formatted response body is expected, so that plugin might emit HTML content, resulting in a malformed response. This confirmation header mechanism was added as a way to help point out when that is happening.

So, especially if it seems to have suddenly happened, I would ask: what recent changes have you made related to other plugins, or possibly your theme? Especially anything to do with caching, proxying, or security?

Another way to get a clue as to what other code might be responsible for this is to look at the body of the HTTP response that has the 403 status, in the network tab of the browser console. Can you inspect that? Sometimes it will be obvious, because it will include something self-referential in an HTML error message from the responsible code that identifies itself as the source of the message.

A different kind of cause might be: something like a proxy that has recently been placed in front of your WordPress server, like Varnish, and that proxy has a too-strict policy for what routes it allows, so it returns a 403 HTML response, despite the expectation for a JSON response, before even allowing the request to reach the origin WordPress server.

Into the console, the response data doesn’t shows anything weird:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"7516e373ad5d0b4b","version":"2022.8.1","r":1,"token":"361fbea6cc314ec69cc86a4401112a6d","si":100}' crossorigin="anonymous"></script>
</body></html>

Just the 403 page itself.

Can’t remember any important change that points into the direction that you suggested. I’m not using Varnish anyway. I’ve tried disabling the server firewall and security plugins that I believed that could interfere with headers but without success. I have no idea about where to look for it. The response doesn’t gives any clue.

The site heath report also doesn’t shows anything out of order and WP REST API seems to be working well except for this PUT call. Could it be related with CORS or other security headers?

@mlwilkerson as you probably already have noticed, response is HTML, not JSON. So I suspect that issue comes from nginx or apache. Are there any tips or guidelines to properly setup this plugin and make it compatible with nginx? Should I add any special rule into the nginx config to avoid problems with wp-json?

Other than this I’m out of ideas and I don’t know what else to test.

Thanks in advance.

The fact that the response is HTML, not JSON, seems like a clue to me: I don’t think that the WordPress REST API would respond to a REST request with an HTML response like that. So this seems like evidence supporting the theory that something (yes, like nginx or apache) is rejecting the request before the WordPress REST API even gets a chance to process it.

The fact that it’s happening for a PUT request is also evidence supporting the same theory. I’ve seen this in multiple other situations where PUT requests are rejected while POST requests to a similar route are allowed. As I recall, it’s always been the case that, when that occurs, it’s because of some policy in nginx, apache (or whatever web server) that’s overly aggressive and denies PUT requests.

As for why that would happen suddenly, when it worked previously, my best guess at the moment is that–if you’re using a hosting provider that manages part of your web server stack–they recently changed something about those allow/deny rules in nginx, apache, or whatever web server hosts your WordPress site.

I want to believe you’re right, however I’m the server admin and I haven’t made any changes on nginx or apache policies. I have revised all configs one and many times but I can’t see anything related to PUT request which causes that behaviour.

I remember that I made some changes into response headers, to be in compliance with HSTS and CORS, thats why I’ve asked if it could be related with the issue.

@mlwilkerson just in case of any other user falls into this issue, the solution is to add this into .htaccess:

<Limit GET HEAD POST PUT DELETE OPTIONS>
    Require all granted
</Limit>

Hope it helps. It happens with apache 2.4

• This reply was modified 2 years, 1 month ago by fidoboy.