Why do I get a "403 Forbidden" message when I try to add new content sections to my site?
Why do I get a "403 Forbidden" message when I try to add new content sections to my site?
This message typically indicates an error in the server's configuration file.
(This section is primarily of interest to server administrators; if that's not you, you can skip down to the next section for the fix.)
Some Apache servers have a module named mod_security which scans page requests and form submissions for suspicious-looking behavior. Some Apache distributions, however, include a configuration error which incorrectly blocks valid form requests, returning the "403 Forbidden" error message.
Specifically, this problem configuration rejects any form submission that contains a semicolon in the Content-Type header. Alas, this breaks any valid request that happens to add a charset declaration in that header:
Content-Type: application/x-www-form-urlencoded; charset-UTF-8
Big Medium happens to do this when it makes Ajax form submissions (i.e., submissions that happen within the page rather than requesting an entirely new page).
The fix is to change the mod_security configuration on your server.
If you are the server admin and have access to your server's configuration file, you can make the following change (otherwise, contact your admin or hosting company to do it for you).
Find the SecFilterSelective entry that looks like this:
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;|^text/xml;)"
...and change that "$" symbol to ";?" like so:
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded;?|^multipart/form-data;|^text/xml;)"
After restarting Apache, the error should go away.
If you don't have access to the server's configuration file or your server admin will not make this change for you, you may be able to make the change by editing the .htaccess file in your site's main HTML directory. (If no such file exists, you can create a new file named .htaccess and upload it to your site's main HTML directory.)
Add these two lines to the .htaccess file:
SecFilterEngine Off
SecFilterScanPOST Off
After adding those lines, the error should go away.