Having status code “403 Forbidden” as a response from CDN for a file or root location means that protection, that is used to filter/throttle access, is set on:

  1. CDN side by using HTTP Referrer Protection which is designed to allow only Whitelisted domains (referrers) so all other domains (as well as any direct access) will be rejected with status code “403”.
  2. Origin side via HotLink Protection which suppose to have same purpose as HTTP Referrer Protection and, in this case, it is currently blocking our IP Addresses producing “403” response from CDN URLs. If you look under 502 Bad Gateway scenario, you can see that origin server is blocking our servers on firewall level producing response “502”, in case with “403” and absence of HTTP Referrer Protection on our end, the cause can be found in .htaccess file on origin server.

How to deal with 403 Forbidden?

  1. In case that HTTP Referrer Protection is enabled, there is no need to deal with this response at all, as long as your website pulls from CDN and populates pages with CDN files, forbidden response is normal for not-allowed referrers or direct access.
  2. However, having strong HotLink Protection on origin side that allows only strictly defined referrers and/or our IP addresse(s) listed under “Deny From” directive within .htaccess file, you need to canvas HotLink Protection IP address list, Visit this page to obtain IP addresses that belong to our edge servers and remove any blocked IP belongs to our IP blocks and/or add CDN domain into referrer list.
  3. Example of denied IP from our network in htaccess (which should be removed from deny list):
    order allow,deny
    deny from
    deny from
    allow from all
  4. Example of hotlink protection:
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

    You should add CDN domain(s) into this list or remove hotlink protection completely:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://foo.bar.netdna-cdn.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://foo-bar.netdna-ssl.com [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?cdn.domain.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|png|webp|css|js|gif|pdf)$ - [NC,F,L]