[GH-ISSUE #4362] [bug]: 403 Unauthorized on write requests #1589

New issue

Open

opened 2026-03-16 20:59:15 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 20:59:15 +03:00

Owner

Originally created by @travrob1 on GitHub (Sep 19, 2024).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/4362

Is there an existing issue for this?

I have searched the existing issues

Current behavior

When making write requests (POST, PUT, PATCH, DELETE). I have been encountering consistent 403s. When making the same request via curl, postman, insomnia, i get successful responses.
Here is a sample request

curl --request POST \ --url https://author-p112103-e261210-cmstg.xxx.com/x/assets/urn:aaid:aem:6b842ed9-89cf-4576-98eb-a4876bd18645/relations \ --header 'Authorization: Bearer xxx' \ --header 'content-type: application/json' \ --data '{ "items": [ { "assetId": "urn:aaid:aem:ea70cc6e-066c-4e9e-bbd7-20757ead091a", "relationType": "derived" } ] }'

and the raw response
<html> <head> <title>403 Not allowed.</title> </head> <body> <h1>Error 403 Not allowed.</h1> <p>Not allowed.</p> <p>Trace-id: b365af09-0559-4f98-bda8-f8fee0099cc6</p> </body> </html>

I experimented with all three types of interceptors to see what was happening.

No interceptor: CORS error, preflight missing allow origin header
Proxy: { "success": true, "isBinary": true, "status": 403, "data": "PCFET0NUWVBFIGh0bWw+CiAgICAgIDxodG1sPgogICAgICAgIDxoZWFkPgogICAgICAgICAgPHRpdGxlPjQwMyBOb3QgYWxsb3dlZC48L3RpdGxlPgogICAgICAgIDwvaGVhZD4KICAgICAgICA8Ym9keT4KICAgICAgICAgIDxoMT5FcnJvciA0MDMgTm90IGFsbG93ZWQuPC9oMT4KICAgICAgICAgIDxwPk5vdCBhbGxvd2VkLjwvcD4KICAgICAgICAgIDxwPlRyYWNlLWlkOiBiMzY1YWYwOS0wNTU5LTRmOTgtYmRhOC1mOGZlZTAwOTljYzY8L3A+CiAgICAgICAgPC9ib2R5PgogICAgICA8L2h0bWw+CiAgICA", "statusText": "Forbidden", "headers": { "accept-ranges": "bytes", "content-length": "287", "date": "Thu, 19 Sep 2024 16:16:53 GMT", "retry-after": "0", "strict-transport-security": "max-age=31557600", "x-cache": "MISS", "x-served-by": "cache-chi-kigq8000113-CHI", "x-timer": "S1726762613.749729,VS0,VE264" } }

Browser extention: Unknown... could not find a way to see internal response from extention... Only seeing 403 received int he application.

I attempted to add a new origin to the browser extention, but could not tell if that was the exact issue.
Ultimately had to move to another tool.

NOTE. Occasionally on different requests, I would get successful responses if i signed on on the browser to the application using oAuth sign in... I think the browser extension would pick that up and include it in requests... but again i was unable to find a way to log the exact request send by the extension.

Steps to reproduce

Unfortunately i can not give you the exact request i used due to security.
Make a write request to a remote server.

Environment

Production

Version

Cloud

Originally created by @travrob1 on GitHub (Sep 19, 2024). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/4362 ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current behavior When making write requests (POST, PUT, PATCH, DELETE). I have been encountering consistent 403s. When making the same request via curl, postman, insomnia, i get successful responses. Here is a sample request `curl --request POST \ --url https://author-p112103-e261210-cmstg.xxx.com/x/assets/urn:aaid:aem:6b842ed9-89cf-4576-98eb-a4876bd18645/relations \ --header 'Authorization: Bearer xxx' \ --header 'content-type: application/json' \ --data '{ "items": [ { "assetId": "urn:aaid:aem:ea70cc6e-066c-4e9e-bbd7-20757ead091a", "relationType": "derived" } ] }'` and the raw response ` <html> <head> <title>403 Not allowed.</title> </head> <body> <h1>Error 403 Not allowed.</h1> <p>Not allowed.</p> <p>Trace-id: b365af09-0559-4f98-bda8-f8fee0099cc6</p> </body> </html>` I experimented with all three types of interceptors to see what was happening. **_No interceptor:_** CORS error, preflight missing allow origin header **_Proxy_**: `{ "success": true, "isBinary": true, "status": 403, "data": "PCFET0NUWVBFIGh0bWw+CiAgICAgIDxodG1sPgogICAgICAgIDxoZWFkPgogICAgICAgICAgPHRpdGxlPjQwMyBOb3QgYWxsb3dlZC48L3RpdGxlPgogICAgICAgIDwvaGVhZD4KICAgICAgICA8Ym9keT4KICAgICAgICAgIDxoMT5FcnJvciA0MDMgTm90IGFsbG93ZWQuPC9oMT4KICAgICAgICAgIDxwPk5vdCBhbGxvd2VkLjwvcD4KICAgICAgICAgIDxwPlRyYWNlLWlkOiBiMzY1YWYwOS0wNTU5LTRmOTgtYmRhOC1mOGZlZTAwOTljYzY8L3A+CiAgICAgICAgPC9ib2R5PgogICAgICA8L2h0bWw+CiAgICA", "statusText": "Forbidden", "headers": { "accept-ranges": "bytes", "content-length": "287", "date": "Thu, 19 Sep 2024 16:16:53 GMT", "retry-after": "0", "strict-transport-security": "max-age=31557600", "x-cache": "MISS", "x-served-by": "cache-chi-kigq8000113-CHI", "x-timer": "S1726762613.749729,VS0,VE264" } }` **_Browser extention_**: Unknown... could not find a way to see internal response from extention... Only seeing 403 received int he application. I attempted to add a new origin to the browser extention, but could not tell if that was the exact issue. Ultimately had to move to another tool. **NOTE**. Occasionally on different requests, I would get successful responses if i signed on on the browser to the application using oAuth sign in... I think the browser extension would pick that up and include it in requests... but again i was unable to find a way to log the exact request send by the extension. ### Steps to reproduce Unfortunately i can not give you the exact request i used due to security. Make a write request to a remote server. ### Environment Production ### Version Cloud