403 TESTING
403 FORBIDDEN
OVERVIEW
A 403 Forbidden error occurs when a user attempts to access a website or application but is denied permission by the server. This indicates that the server has received and understood the request, but access is being blocked based on configured security policies.
In many cases, this issue is
caused by custom security rules configured within the Web Application
Firewall (WAF) or access control settings. For example, if a custom rule is
configured to block traffic originating from a specific country (such as the
United States), users accessing the site from that location will receive a 403
Forbidden response.
RESOLUTION STEPS
Follow the steps below to identify
and resolve the issue:
Step 1: Confirm that the 403
Forbidden response originates from WAF. The error page presented to the
user should resemble the example shown below. Once verified, continue with the
resolution steps outlined in this guide
Step 2: Review Custom
Security Rules
- Login to the WAAF dashboard.
- From the left navigation pane, go to WAF Policies → Custom WAF Policies
3. Review Access Restriction Rule
Examine all active security and custom access rules configured for the application to identify any conditions that may be blocking legitimate requests. Pay particular attention to rules based on:
- Geographic location (Geo-blocking) – Restrictions applied to specific countries or regions.
- IP addresses or IP ranges – Allowlist or blocklist entries that may be preventing access.
- User-Agent filtering – Rules that block or restrict requests from specific browsers, bots, or devices.
- Request headers or URLs – Conditions that inspect request headers, paths, query parameters, or URL patterns.
-
Custom access policies – Any other user-defined rules or security policies that may deny access under specific conditions
If any rule is identified as the cause of the 403 Forbidden status, modify or disable the rule as appropriate and verify that access is restored.
Step 3 : Identify and Modify the Triggering Rule
Review security logs and rule events to identify the specific custom rule responsible for generating the 403 Forbidden response. Once identified, evaluate whether the rule is incorrectly blocking legitimate traffic. If necessary, modify the rule conditions, exceptions, or allowlist settings to ensure that valid requests are permitted and successfully forwarded to the origin server/application instead of being blocked with a 403 response.
Step 4 : Modify or remove restrictive Rules
If the identified rule is blocking valid requests, update its conditions, exceptions, or allowlist settings to permit legitimate users and traffic while maintaining the intended security controls and protection requirements.
Step 5 : Verify Resolution
After updating the rule, attempt to access the website again from the affected location, network, or client. Confirm that legitimate requests are successfully reaching the application and that the 403 Forbidden error is no longer being returned.
Note: If the issue persists
after reviewing custom rules, examine server-side permissions, access control
lists (ACLs), and firewall configurations, as these may also result in a 403
Forbidden response.
.
Related Articles
MFA TESTING
Multi-Factor Authentication (MFA) Overview Multi-Factor Authentication (MFA) adds an extra layer of security to your account by requiring a second form of verification in addition to your password. Prophaze supports popular authenticator applications ...405 Testing
405 - NOT ALLOWED OVERVIEW A 405 Method Not Allowed error occurs when the HTTP method used in a request is not permitted by the server for the requested resource. This typically happens when a client attempts to use an unsupported HTTP method, such ...504 Testing
Overview A 504 Gateway Timeout error occurs when the Prophaze Web Application Firewall (WAF) does not receive a timely response from the backend application server. This article explains the most common causes and provides a structured resolution ...