Up to $100 off Dedicated Servers

Guzzle & Sucuri: Fixing 403 request errors

Posted on by David Singer | Updated:
Category: Common Fixes | Tags: Composer, Guzzle
Reading Time: 2 minutes

When using GuzzleHTTP client if the domain you’re interacting with uses Sucuri you may find some unexpected results. Generally the issues come in the way of 4XX or 5XX error response codes. Oddly enough the issue presents itself when the Url works normally in the browser (or curl), but presents an inexplicable 403 with Guzzle. Some of your mileage may vary based on the domains Securi settings and configuration, but this tip can usually get you on the right track!

Fixing 403 errors when using Guzzle with Sucuri

If you’re experiencing an issue with ‘GET‘-ing a page using Guzzle but the URL works normally in a browser try this out. If you configure your Guzzle client to use some specific headers then it might help Securi accept your request. In these cases the issue isn’t actually with Securi, your code, or server – rather the issue is just that your request triggers a false positive in their system. By setting these headers you can signal to Securi your request isn’t malicious.

Try the following Guzzle client configuration:

$guzzle = new Client([
  'headers' => [
    'User-Agent' => 'Name of your tool/v1.0',
    'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
    'Accept-Encoding' => 'gzip, deflate, br',

What Can These Options Provide?

The Guzzle options used here is simply the headers option. This option uses an array to set the HTTP headers that you’d like to use with the requests. The option is super simple to use, you just set the Header key to the key and the Header value to the value! Here’ we’re using the following headers:

  • User-Agent: This header is a string describing the characteristics of the software making the request. It helps network peers identify application type, OS, software vendor, and versions. The key here is to just set one that describes the tool you’re using and built! (So update “Name of your tool” to fit.)
  • Accept: This header defines the varying document type and sub-types accepted by the requesting software. In this case we’re using the same value that a modern browser might use. You can go ahead and use this one as is!
  • Accept-Encoding: This header advertises which content encoding is acceptable for the response to use. Generally it’s used to define the compression algorithm that the client is able to understand. In our case we use Gzipdeflate (zlib), and br(Brotli).

With these 3 headings set the false positive being triggered in Securi can now be resolved! You can continue building/using your tool without anymore headaches. And best of all there’s no need to adjust anything at Securi to fix the issue.

If you really know what you’re doing with HTTP headers you can probably even refine the Accept values to only include doctypes you want to deal with.

What is GuzzleHTTP?

Guzzle is a PHP based HTTP client used to simplify making web requests in PHP. In the past we’ve covered how to use Composer and even used Guzzle as one of the examples. The GuzzleHttp client is an extremely user friendly wrapper for the PHP curl functions that provide the native HTTP client functionality. Think of Guzzle the same as using Curl or a Webbrowser – you give it a URL and it’ll get the resources that url serves. It’s a lot closer to curl though since, similarly, it lacks a rendering engine of a browser.

Avatar for David Singer

About the Author: David Singer

I am a g33k, Linux blogger, developer, student, and former Tech Writer for Liquidweb.com. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Latest Articles

Best authentication practices for email senders

Read Article

What is SDDC VMware?

Read Article

2024 cPanel and Plesk pricing breakdown

Read Article

CentOS Linux 7 EOL — everything you need to know

Read Article

How to install Node.js on Linux (AlmaLinux)

Read Article