403 forbidden error when trying to hit the rest api endpoint of a plugin installed on my site

maheswar · May 17, 2024, 5:55am

Website URL

(please specify the URL of the site on which you are experiencing the problem)

Error Message

I created a simple plugin inside which I registered an api endpoint, upon successful returns site url.
But I am getting 403 forbidden error as a response when I call this api endpoint from my other site.
Below is the part of a error message:-

(
    [headers] => WpOrg\Requests\Utility\CaseInsensitiveDictionary Object
        (
            [data:protected] => Array
                (
                    [server] => nginx
                    [date] => Wed, 15 May 2024 16:54:20 GMT
                    [content-type] => text/html
                    [content-length] => 146
                )

        )

    [body] => <html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

    [response] => Array
        (
            [code] => 403
            [message] => Forbidden
        )

    [cookies] => Array
        (
        )

Other Information

Below is the piece of code I written to register endpoint:-

add_action( 'rest_api_init', 'register_routes' );
function register_routes() {
	register_rest_route(
		'mahi/v1',
		'/settings',
		array(
			array(
				'methods'             => 'GET',
				'callback'            => 'get_items',
				'permission_callback' => 'create_items_permissions_check',
			),
		)
	);
}

function create_items_permissions_check() {
	return true;
}
function get_items() {
	return rest_ensure_response( get_site_url() );
}

KangJL · May 17, 2024, 6:57am

Please read

Take note

maheswar · May 17, 2024, 8:47am

Can anyone elaborate what does this mean, “InfinityFree is not intended to be used for file sharing, API hosting, database hosting or background tasks/tools.”

And is aes.js responsible on why I am getting 403 forbidden error when I hit this endpoint ?

Frank419 · May 17, 2024, 9:46am

It means what it means. InfinityFree’s service shouldn’t be used on these subjects, only on website hosting.

It should be responsible. As you can see, the response indicated that the server was using nginx, which is a sign of hitting the aes.js without moving on.

maheswar · May 17, 2024, 10:13am

Does it mean any plugin in which an api endpoint is registered won’t work on InfinityFree hosting sites if that api get hits from other sites ?

How to handle this in code to make the api response successful(i.e, 200). Any help will be appreciated, Thank you

Frank419 · May 17, 2024, 10:15am

Yes. They can indeed work if the AJAX calls come from within the site.

You can’t handle this to make it success. A limit is a limit. No matter how hard you try to handle this, it won’t work, as the code you are trying to set up won’t even be fired because the request never gets there.

maheswar · May 17, 2024, 11:51am

Thank you for the information.

Why is it not allowing the request ? Is it possible that the protection system is flagging this as malicious activity?

Will I get the 403 forbidden error due to this aes.js file on paid site as well ?

Does anyone have any insights regarding this?

Frank419 · May 17, 2024, 12:29pm

The security system indeed blocks automated requests. But that system is no where near intelligent — so it cannot “flag a request as malicious”.
It depends on technologies that are decades old and simply checks whether the incoming request can execute JavaScript and allow cookies, which mainly includes browsers and search engines.

Premium hosting doesn’t have this system, so no.

Admin · May 17, 2024, 3:39pm

Short answer: yes.

Longer answer: in addition to the aes.js system, there are additional rules that visitors are checked against before they reach the aes.js system to begin with. Those tend to cause 403 Forbidden errors. If not, you’d likely get a 200 OK response, but with the HTML code for the challenge page instead of the actual content you’re trying to reach. So while it’s not technically aes.js that’s causing this, both are part of our suite of security measures for your website.

maheswar · May 20, 2024, 6:57am

Thank you Admin for the information.

@Admin I have a plugin and an api endpoint is registered in the plugin. I am getting this 403 forbidden error when I call this endpoint from another site. Is there a way for me on how to check with code that your security system doesn’t allow/process this request so that I can fallback to another approach ? Any help will be appreciated. Thank you.

@Admin Is the same security system/check there on your premium hosting sites ?

Admin · May 20, 2024, 8:35am

You already noted you get a 403 Forbidden error when you try the API request. You could just check for that response code and use the fallback if you get a 403.

Although I don’t fully understand why you would want to check for this with code if you already know the endpoint doesn’t work.

No, this system is only present on free hosting, not premium hosting.

system · May 27, 2024, 8:35am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.