Having status code "403 Forbidden" as a response from CDN for a file or root location means that protection, that is used to filter/throttle access, is enabled.
Where Can a 403 Originate from?
- The CDN side by using HTTP Referrer Protection which is designed to allow only Whitelisted domains (referrers) so all other domains (as well as any direct access) will be rejected with status code "403".
- The Origin side via HotLink Protection which is supposed to have same purpose as HTTP Referrer Protection and, in this case, it is currently blocking our IP Addresses producing "403" response from CDN URLs. When referring to this 502 Bad Gateway scenario, the origin server is blocking the CDN servers on the firewall level, producing the response "502". In the case with "403" and absence of HTTP Referrer Protection on the CDN side, the cause can be found in the .htaccess file at the origin server.
How to deal with 403 Forbidden?
- In the event that HTTP Referrer Protection is enabled, there is no need to deal with this response at all, as long as the website pulls from the CDN and populates pages with CDN files, a forbidden response is normal for disallowed referrers or direct access.
- Having strong HotLink Protection at the origin that allows only strictly defined referrers, or CDN server IP addresses listed under the "Deny From" directive within .htaccess file, it may be necessary to obtain the MaxCDN IP addresses that belong to our edge servers, to ensure these IPs are not blocked. Alternatively or additionally, adding the CDN domain into the referrer list is advised in this instance.
Example of denied IP 111.111.111.110 from our network in htaccess (which should be removed from deny list):
order allow,deny
deny from 123.12.21.123
deny from 111.111.111.110
allow from all
Example of hotlink protection:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Adding the following CDN domains to the referrer list (above) is advisable to prevent blocking assets coming from MaxCDN:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://foo.bar.netdna-cdn.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://foo-bar.netdna-ssl.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?cdn.domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|png|webp|css|js|gif|pdf)$ - [NC,F,L]
We hope this article was helpful and as always, If there are any questions or concerns about any of the topics mentioned in this article, please feel free to reach out to support - we are available 24/7 by chat or email!