403 - modsecurity action in the live website?

Question

I just make my first project in asp.net mvc and make it live on hostgator.in. On 1 page of my application I am loading partial view through ajax which is not working properly and in console I am getting error

Failed to load resource: the server responded with a status of 403 (ModSecurity Action).

After searching about it I understand that client (my browser) does not have permission to access the requested url and hence no ajax call is working/ no javascript code is running. I am not able to figure out that why I don't have the permission

Answer 1

ModSecurity blocks suspicious looking requests to improve security.

So it's not so much you don't have permission (which is what a 403 would normally indicate) but something about your requests trigger ModSecurity to jump in and block them. Web Application Firewalls (WAF) like ModSecurity can be prone to false positives if not "tuned" to allow the traffic your website normally uses.

You'll need to speak to hostgator to figure out exactly what rule this tripped and how to tweak the rule to allow this request to go through in future.

Answer 2

Many hosting companies use Plesk control panel which implements the ModSecurity Web Application Firewall (WAF) by default.

While you could completely turn off the Web Application Firewall(WAF) on Plesk, this wouldn't be a great idea because the purpose of WAF is to help protect your website from various attacks.

Instead, turn off only the specific Rule IDs that are causing the issue. In my case, I needed to allow .axd files on my website in order for ajax to work (eg, Scriptresource.axd and WebResource.axd).

1. Identify this specific Rule ID that is being violated by opening the "ModSecurity Logfile" on the WAF page in the Plesk control panel.

2. Search for the 403 Access Denied message in the logfile and then look for a substring that looks like [id "942440"]. This is the rule ID that is being violated.

3. Switch off the "Security Rule" that applies to this issue, by typing the ID number in the "Switch off Security Rules" section on the Plesk WAF page. In this example, you would type just the numbers "920440" inside the text box.