403s from host being cached

Please look at this thread which was not resolved:

In this instance, the 403 screenshot is not from Cloudflare, but from the host - and it matches a typical LiteSpeed server 403. 403 Error - LiteSpeed cPanel Administrator's Handbook - LiteSpeed Documentation . Yet it appears to be being cached by Cloudflare and served via Cloudflare to other users as if it was a static page being edge cached.

We’re seeing the same issue at scale across three very different sites.

It’s my understanding that Cloudflare is edge-caching the 403s served by the hosting provider.

We’ve tested by flushing everything server side and then accessing the website front end using a German proxy IP we know the web hosting provider 403 blocks due to bad reputation. We also do this soon after the cache flush (with no warming or preloading) to ensure this page load is the first pull.

When we then test the same URL using other German locations on Test Locally and similar location screenshot testers all screens return the 403 error. Crucially, when we test all other pages on the same site testing apps, there are no 403 errors, and all pages return 200.

Additionally, the 403 errors seen in the Test Locally screens don’t feature in the web hosting error logs. Only the first pull returns a 403 error in the web hosting log.

So it does appear Cloudflare can edge cache 403 errors from web hosts that use Litespeed servers and serve these out as regular pages to users in the same Cloudflare edge location (Cloudflare Global Network | Data Center Locations) We also found this occurs even if lightspeed caching is turned off as we found with Hostinger.

Question:
How can we stop Cloudflare edge from caching 403s served by the host?
Is there a rule for this?
If not, please could devs look into this?

Cloudflare doesn’t cache 403s by default:

https://developers.cloudflare.com/cache/how-to/configure-cache-status-code/

To cache those 403s? Only you would know.

How do you know Cloudflare is caching this? Is there a cf-cache-status header on those 403 responses that says “HIT”?

This is how we know:
When we then test the same URL using other German locations on Test Locally and similar location screenshot testers all screens return the 403 error. Crucially, when we test all other pages on the same site testing apps, there are no 403 errors, and all pages return 200.

And also very likely replicated by another user: Issue with "Cache Everything" Page Rule Causing 403 Forbidden Error for 10% of User

> Blockquote

This page doesn’t refer to 403s and is also only applicable to Enterprise accounts - so not relevant here.

Sorry if the original post wasn’t clear.

To be clear.

If you use Cloudflare with a cheap shared hosting that uses Litespeed - for example *ostinger, it’s quite possible to take down sections of a website by causing 403 errors in a particular location.

Cloudflare is then edge-caching those 403s as statics pages and serving them to every other front-end user in that same location. I know Clouldfare shouldn’t do that. But it is.

I’m not going to spell out exactly how you would achieve this - that’s irresponsible - but I’m sure anyone with any dev knowledge will see this is a potential attack vector for any site that uses cheap hosting and Cloudflare set to ‘cache everything’.

Beg to differ. If you use cheap shared hosting backed by Litespeed and set Cloudflare to “cache everything” for speed, yes it does cache 403s in that data center.

This page Default Cache Behavior · Cloudflare Cache (CDN) docs explains that Cloudflare does cache 403s under certain conditions.

  • Cloudflare does not cache the resource when:
    • The Cache-Control header is set to private, no-store, no-cache, or max-age=0.
    • The Set-Cookie header exists.
  • Cloudflare does cache the resource when:
    • The Cache-Control header is set to public and max-age is greater than 0.
    • The Expires header is set to a future date.

Cloudflare does cache the resource even if there is no Cache-Control header based on status codes.

I just checked the default 403s from 3 cheap hosts. None of them included * The Cache-Control header set to private, no-store, no-cache, or max-age=0. And bear in mind " Cloudflare does cache the resource even if there is no Cache-Control header based on status codes."

Furthermore, on many hosts, if the developer opts for custom error pages, these do often don’t apply private, no-store, no-cache, or max-age=0 and hosts don’t typically offer the facility to add these headers.

Also, importantly, Cloudflare doesn’t recognise HTML HTTP headers on custom (or default) error pages. Such as:
"

"

Even with this code above, Cloudflare still caches the 403.

It needs looking at.

1 Like

I got the same issue, my site is hosted on *ostinger and sometimes we got some 403 errors, after we clear all cache from Cloudflare end, then all is good. Any solution to solve this?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.