Navigating the challenging waters of a 403 Forbidden error—your expertise could be the key to unlocking seamless Vimeo video embedding for all Cloudflare users

Hello Cloudflare Community,

TLDR;
Experiencing 403 Forbidden error when attempting to embed Vimeo videos on our website. Videos are configured for domain-restricted embedding, but embedding fails unless videos are set to public. Using Cloudflare for DNS and HTTPS proxy, with features like Bot Fight Mode, Managed Challenges, HTTP DDoS Protection, High Security Level, Browser Integrity Check, and Content Optimization settings activated.

Issue Details:

  • Vimeo Video Settings: Configured for domain-restricted embedding.
  • Symptom: Embedding attempts result in a “403 (Forbidden)” error in the browser console. Interestingly, making the video public and allowing embedding anywhere temporarily resolves this issue.

Our Setup:
We utilize Cloudflare for DNS and HTTPS proxy services. Our configuration includes:

  1. Bot Fight Mode
  2. Managed Challenges for IPs outside India
  3. HTTP DDoS Attack Protection
  4. Security Level: High
  5. Browser Integrity Check
  6. Content Optimization Features: Brotli, Cloudflare Fonts, Early Hints, Rocket Loader, Auto Minify
  7. Managed Transforms: Add TLS client auth headers, Remove “X-Powered-By” headers, and Add security headers

Given our reliance on Cloudflare’s features and the recent adjustments made, we’re seeking insights into the potential cause of this embedding issue and any suggestions for resolving the 403 Forbidden error.

Thank you in advance for your support and guidance.

I bet it’s this:

https://developers.cloudflare.com/rules/transform/managed-transforms/reference/#add-security-headers

One of those Security Headers is referrer-policy: same-origin, which removes your domain from the request headers to other domains, and I bet that’s what Vimeo is looking for.

By the way, thank you for the super-detailed explanation of the issue. It makes it a whole lot easier to diagnose.

3 Likes

Thanks @sdayman. It worked out!

3 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.