403 on Wp-admin Ajax Nounce APO

Hello Guys! I have APO enabled on the Production site it giving my 403 Wp-admin ajax nonces error.
Know more about Nonces - Nonces and Cache Lifespan - WP Rocket Knowledge Base

Please can someone guide me on how to fix it?

Error goes by- 403 Error Code | mysite.com/wp-admin/admin-ajax.phpaction=as_async_request_queue_runner&nonce=014a5d9eb6

On Staging, there is No APO my site functions well.

I don’t have any cache Plugin it’s only NGINX FAST CGI.
Security Plugins I themes disabled still issue persist.

The problem is solved if I clear Cloudflare Cache or when I load the Page by Hitting CTRL+SHIFT + R.

After 12 to 18 Hours, I get the same error.

I have same problem, I have justified security level to (Under Attack) now I cannot acces that url, with similar error

The link about nounces states that it’s valid for 12 hours by default. So you need to make sure whatever caches you have of the HTML for any given URL that requires a nonce to be less than 12 hours.

If this problem is being caused by Cloudflare, it’s likely you are either using a page rule with Cache Everything, or APO.

If the former, make sure you create page rules for the URL patterns that require nonce and place them above the Cache Everything page rule.

Hello I am using the APO not the Page rule cache everything. How should I address the issue for APO.

Is it something for me to take care or the Developers of APO?

Sorry to hear you are getting the 403 error, it’s a client side error, 4xx codes generally are error responses specifying an issue at the client’s end. Potentially a network issue.

403 means forbidden, without even visting troubleshooting page for 4xx errors (4xx Client Error – Cloudflare Help Center) The 403 error can be caused by cloudflare IP’s being blocked, allow cloudflare IP’s in your firewall page of your domain, for steps on how to allow cloudflare IP’s look below.

  1. Log in to your cloudflare account
  2. Click the domain you want to allow cloudflare IP’s on
  3. Click “Firewall”
  4. Click “Firewall rules”
    Notice: You are limited to 5 firewall rules with a free plan, you can purchase if you have no firewall rules left or you can pause or delete a firewall rule
  5. Click “Create a firewall rule”
  6. Allow these IP’s: 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/15, 104.16.0.0/12, 172.64.0.0/13, 131.0.72.0/22, 2400:cb00::/32, 2606:4700::/32, 2803:f800::/32, 2405:b500::/32, 2405:8100::/32, 2a06:98c0::/29, 2c0f:f248::/32
    Notice: These IP’s will work ONLY IF the operator value is set to "is in"
    The expression will look something like this (you can copy and paste this to make the expression automatically) (ip.src in {173.245.48.0/20} and ip.src in {103.21.244.0/22} and ip.src in {141.101.64.0/18} and ip.src in {108.162.192.0/18} and ip.src in {190.93.240.0/20} and ip.src in {188.114.96.0/20} and ip.src in {197.234.240.0/22} and ip.src in {198.41.128.0/17} and ip.src in {162.158.0.0/15} and ip.src in {104.16.0.0/12} and ip.src in {172.64.0.0/13} and ip.src in {131.0.72.0/22} and ip.src in {2400:cb00::/32} and ip.src in {2606:4700::/32} and ip.src in {2803:f800::/32} and ip.src in {2405:b500::/32} and ip.src in {2405:8100::/32} and ip.src in {2a06:98c0::/29} and ip.src in {2c0f:f248::/32})
    Notice: If copying and paste remember to click “edit expression” first!
  7. Click “choose a feature”
  8. From the dropdown, click “Bypass” or “allow”
    If picking bypass, you must pick at least 1 feature for cloudflare to bypass
  9. Click “save”.

If you have already allowed cloudflare IP’S visit, then this is troubleshooting infomation from 4xx Client Error – Cloudflare Help Center If you’re seeing a 403 error without Cloudflare branding, this is always returned directly from the origin web server, not Cloudflare, and is generally related to permission rules on your server. The top reasons for this error are: 1. Permission rules you have set or an error in the .htaccess rules you have set 2. Mod_security rules. 3. IP Deny rules Since Cloudflare can not access your server directly, please contact your hosting provider for assistance with resolving 403 errors and fixing rules. You should make sure that Cloudflare’s IPs aren’t being blocked.

Cloudflare will serve 403 responses if the request violated either a default WAF rule enabled for all orange-clouded Cloudflare domains or a WAF rule enabled for that particular zone. Read more at What does the Web Application Firewall do? Cloudflare will also serve a 403 Forbidden response for SSL connections to sub/domains that aren’t covered by any Cloudflare or uploaded SSL certificate.

If you’re seeing a 403 response that contains Cloudflare branding in the response body, this is the HTTP response code returned along with many of our security features:

Web Application Firewall challenge and block pages
Basic Protection level challenges
Most 1xxx Cloudflare error codes
The Browser Integrity Check
If you’re attempting to access a second level of subdomains (eg-..example.com) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate.
If you have questions contact Cloudflare Support and include a screenshot of the message you see or copy all the text on the page into a support ticket.

Hello William I have shared an article to understand Nonce.
The issue is solved once purge cloudflare cache.
I have checked my logs nothings there.

Please check the blog i have linked in my question to understand this better

OK, glad to hear the issue is resolved!

Hello Guys! The issue is solved, Just wanted to mention here just in case if someone faces this.
All my Nonce errors are Gone after i Reduce the Edge TTL with page Rules.

Source- Understanding Automatic Platform Optimization (APO) with WordPress – Cloudflare Help Center
On this page its mentioned in the end part How to Use page rules to control APO.

" * Edge Cache TTL

APO will apply custom Edge TTL instead of 30 days. It is helpful for pages that can generate captchas or nonces."

Hence I created a Page Rule-

https://mysite.com/*

Edge Cache TTL = 8 Hours (Because Nonce Validity is less than 12 Hours in General so better keep 8 hours to be in safe side)

Issue Solved :smiley:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.