Guzzle & Sucuri: Fixing 403 request errors

When using GuzzleHTTP client if the domain you’re interacting with uses Sucuri you may find some unexpected results. Generally the issues come in the way of 4XX or 5XX error response codes. Oddly enough the issue presents itself when the Url works normally in the browser (or curl), but presents an inexplicable 403 with Guzzle. Some of your mileage may vary based on the domains Securi settings and configuration, but this tip can usually get you on the right track!

Fixing 403 errors when using Guzzle with Sucuri

If you’re experiencing an issue with ‘GET‘-ing a page using Guzzle but the URL works normally in a browser try this out. If you configure your Guzzle client to use some specific headers then it might help Securi accept your request. In these cases the issue isn’t actually with Securi, your code, or server – rather the issue is just that your request triggers a false positive in their system. By setting these headers you can signal to Securi your request isn’t malicious.

Try the following Guzzle client configuration:

$guzzle = new Client([
  'headers' => [
    'User-Agent' => 'Name of your tool/v1.0',
    'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
    'Accept-Encoding' => 'gzip, deflate, br',
  ],
]);

What Can These Options Provide?

The Guzzle options used here is simply the headers option. This option uses an array to set the HTTP headers that you’d like to use with the requests. The option is super simple to use, you just set the Header key to the key and the Header value to the value! Here’ we’re using the following headers:

• User-Agent: This header is a string describing the characteristics of the software making the request. It helps network peers identify application type, OS, software vendor, and versions. The key here is to just set one that describes the tool you’re using and built! (So update “Name of your tool” to fit.)
• Accept: This header defines the varying document type and sub-types accepted by the requesting software. In this case we’re using the same value that a modern browser might use. You can go ahead and use this one as is!
• Accept-Encoding: This header advertises which content encoding is acceptable for the response to use. Generally it’s used to define the compression algorithm that the client is able to understand. In our case we use Gzip, deflate (zlib), and br(Brotli).

With these 3 headings set the false positive being triggered in Securi can now be resolved! You can continue building/using your tool without anymore headaches. And best of all there’s no need to adjust anything at Securi to fix the issue.

If you really know what you’re doing with HTTP headers you can probably even refine the Accept values to only include doctypes you want to deal with.

What is GuzzleHTTP?

Guzzle is a PHP based HTTP client used to simplify making web requests in PHP. In the past we’ve covered how to use Composer and even used Guzzle as one of the examples. The GuzzleHttp client is an extremely user friendly wrapper for the PHP curl functions that provide the native HTTP client functionality. Think of Guzzle the same as using Curl or a Webbrowser – you give it a URL and it’ll get the resources that url serves. It’s a lot closer to curl though since, similarly, it lacks a rendering engine of a browser.