Why does Duda throw 403's on fairly modern Chrome browsers?
In case this helps others, Duda doesn't document this very well at all, or provide any good reasoning for this.
If you access Duda site with any Chrome browser user agent that is below version 100 you will get a very ugly looking "403 Forbidden". There's no reasoning, there's no way to customise the error page and no way to control any settings related to this. It took us a whole lot of trial and error to even figure out what was causing it.
E.g. this is our site when using a standard Google Pixel 5 user agent:
User agent: Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.91 Mobile Safari/537.36
With the user agent modified only for the Chrome version (by creating a "custom device" in Chrome dev tools settings) it works:
User agent: Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/18.104.22.168 Mobile Safari/537.36
When I contacted Duda about this, the reply I got was basically that it's because of "security" and they only support the previous 2 browser versions. Just the previous 2! Chrome releases a new browser version on average once a month. So what, Duda only supports the latest 2 months worth of browser? That's quite ridiculous considering the vast array of devices and browsers out there. In our case we're only using Duda as a static site. Our web app and authenticated sections are hosted elsewhere so the risk profile of our Duda site is quite limited, so for us it makes no sense that the support window of browsers would be this small, and there are just no settings to override this or control this or tweak this or anything.
Secondly, our user base is the general public. There's no real way for us to request that everyone update their browsers, especially not if the error says nothing more than "403 Forbidden". If it could be customised we could have some way of informing the user at least.
Has anyone else come across this and do you have any decent workarounds?
By the way Duda, there are much better ways to do web security. User agent is basically a sledge hammer. Just as one example, Content security policy is a much finer grained filtering mechanism, and there could also be a much better graceful degradation instead of throwing up a blanket "403 Forbidden".