HelioHost Posted February 21 Posted February 21 Username: sharat, Server: Morty, Main domain: sharat.helioho.stHi,? We are experiencing a 403 Forbidden error on our Google SSO callback URL in production: https://couponsswap.com/api/auth/google/callback? Reason: The Google callback includes a scope parameter that contains URLs (e.g., https://www.googleapis.com/auth/userinfo.email). It appears the ModSecurity Web Application Firewall (WAF) is flagging this as a "Remote File Inclusion" or "SSRF" attempt and blocking the request.? Request: Could you please check the ModSecurity logs for couponsswap.com and whitelist the specific Rule ID that is being triggered by this callback? Common rules that cause this are 931130 or 210831, but please verify the triggered ID in the logs around the time of the failure (around 8:10am EST). Alternatively, if a rule whitelist isn't possible, could you disable ModSecurity specifically for the /api/auth/google/callback path?? Thank you! Sharat
HelioHost Posted February 21 Author Posted February 21 Whatever you do here, could you please also do it for?CouponShare - Share Coupons with Your Groups? | | | | CouponShare - Share Coupons with Your Groups Share and track coupons with your friends and family groups. See who has read and used each coupon in real-time. | | | On Saturday, February 21, 2026 at 08:19:19 AM EST, HelioHost Support wrote: Your message (Request to whitelist Google SSO Callback from ModSecurity (WAF)) has been assigned the tracking ID [HH#128625]. One of our volunteer community members will reply to your email as soon as possible. Please include the string [HH#128625] in the subject of any future email regarding this case. You may do that by simply replying to this message. Please be aware that our system rejects binary attachments. If you are submitting a screenshot or attachment please post a link to the file instead of attaching it to the email. You may view the status of your ticket by visiting: https://helionet.org/index/index.php?showtopic=67024 Thank you, HelioHost Support https://heliohost.org/ https://helionet.org/
wolstech Posted February 21 Posted February 21 You can actually adjust these yourself. Go into your domain in Plesk and click on "Web Application Firewall", and you can enter the rule numbers you want to turn off. In your case, your logs show it was rule 210580 blocking this. I've added that rule to your domain's exception list for you. The change will take up to 2 hours to be effective.
HelioHost Posted February 21 Author Posted February 21 Thank you!? I am aware I can do these myself but I have no visibility in the logs for checking the exact rule id.? I am also facing the same issue for couponsharinghub.com ... would it be the same rule id for that site too?? On Saturday, February 21, 2026 at 10:33:13 AM EST, HelioHost Support wrote: You can actually adjust these yourself. Go into your domain in Plesk and click on "Web Application Firewall", and you can enter the rule numbers you want to turn off. In your case, your logs show it was rule?210580 blocking this. I've added that rule to your domain's exception list for you. The change will take up to 2 hours to be effective. You may view the status of your ticket by visiting: https://helionet.org/index/index.php?showtopic=67024 Thank you, HelioHost support https://heliohost.org/ https://helionet.org/
Krydos Posted February 21 Posted February 21 Here is our documentation on how to check your own logs. https://wiki.helionet.org/View_Error_Logs If you follow the steps you will see an error like this: ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||couponsharinghub.com|F|2"] [data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile openid"] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "couponsharinghub.com"] [uri "/api/auth/google/callback"] [unique_id "aZng1jijUNsowVqyBX6PrQAAAEA"], referer: https://accounts.google.com/ But if you read it carefully you'll see [id "210580"] in the mess.
HelioHost Posted February 21 Author Posted February 21 That helps for next time, thank you!? On Saturday, February 21, 2026 at 12:04:04 PM EST, HelioHost Support wrote: Here is our documentation on how to check your own logs.?https://wiki.helionet.org/View_Error_Logs If you follow the steps you will see an error like this: ModSecurity: Access denied with code 403 (phase 2). Matched phrase ".profile" at ARGS:scope. [file "/etc/httpd/conf/modsecurity.d/rules/comodo_free/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||couponsharinghub.com|F|2"] [data "Matched Data: .profile found within ARGS:scope: email profile https:/www.googleapis.com/auth/userinfo.email https:/www.googleapis.com/auth/userinfo.profile openid"] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "couponsharinghub.com"] [uri "/api/auth/google/callback"] [unique_id "aZng1jijUNsowVqyBX6PrQAAAEA"], referer: https://accounts.google.com/ But if you read it carefully you'll see [id "210580"] in the mess. You may view the status of your ticket by visiting: https://helionet.org/index/index.php?showtopic=67024 Thank you, HelioHost support https://heliohost.org/ https://helionet.org/
Recommended Posts