In this knowledge base article, we'll go over potential issues and solutions when encountering a 403 error in a .NET Core application when executing PUT or DELETE requests. This could occur when interfacing with a REST API via an Angular application or Swagger.
Symptom
When executing a PUT or DELETE request, you encounter a 403 - Forbidden error, stating: "Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
Cause
There are several possible causes for this behavior, including:
- Restrictions due to the WebDAV module.
- CORS (Cross-Origin Resource Sharing) issues when the requests come from a different origin.
- Absence or incorrect usage of authentication tokens in your requests.
- The content type specified in your headers is incorrect or not as expected.
- The need for a CSRF token to prevent cross-site request forgery.
Solution
1. Remove WebDAV Module
The WebDAV module could interfere with certain HTTP verbs. Try removing it by adding the following code in the <system.webServer> section in your web.config:
<modules runAllManagedModulesForAllRequests="true"><remove name="WebDAVModule"/></modules>
Or you can try:
<modules><remove name="WebDAVModule"/></modules><handlers><remove name="WebDAV" /><remove name="ExtensionlessUrlHandler-Integrated-4.0" /><add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /></handlers>
2. Configure CORS
When testing the APIs using Swagger, requests are sent from the same origin, so CORS issues do not arise. However, with Angular, requests likely come from a different origin, and you'll need to allow these cross-origin requests.
3. Authentication Tokens
If your endpoints are secured, ensure that you're sending an authentication token in your requests. Swagger might be automatically adding this token, so your requests work in that environment. In Angular, you'll need to manually include these in your headers.
4. Set Correct Content-Type
Ensure you're sending the correct content type in your headers. If the server is expecting JSON data, your headers should include 'Content-Type': 'application/json'.
5. Include CSRF Tokens
If cross-site request forgery protection is in place, it might require a CSRF token sent with your PUT or DELETE requests. You'll need to obtain this token and include it in your headers.
6. Set the Web Application Firewall in Plesk to Off or Detection Only.
Further Investigation
If none of these solutions resolve the issue, compare the exact request being sent by Swagger with the one sent by your Angular application. Using the browser's developer tools (network tab), ensure the headers in both requests match exactly.
Conclusion
The 403 Forbidden error can be caused by a variety of issues when making PUT or DELETE requests on your .NET Core app. By systematically investigating these potential causes and implementing the suggested solutions, you should be able to resolve the error and successfully manage your requests.
