Why does Duda throw 403's on fairly modern Chrome browsers?
In case this helps others, Duda doesn't document this very well at all, or provide any good reasoning for this.
If you access Duda site with any Chrome browser user agent that is below version 100 you will get a very ugly looking "403 Forbidden". There's no reasoning, there's no way to customise the error page and no way to control any settings related to this. It took us a whole lot of trial and error to even figure out what was causing it.
E.g. this is our site when using a standard Google Pixel 5 user agent:
User agent: Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.91 Mobile Safari/537.36
With the user agent modified only for the Chrome version (by creating a "custom device" in Chrome dev tools settings) it works:
User agent: Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.0.0 Mobile Safari/537.36
When I contacted Duda about this, the reply I got was basically that it's because of "security" and they only support the previous 2 browser versions. Just the previous 2! Chrome releases a new browser version on average once a month. So what, Duda only supports the latest 2 months worth of browser? That's quite ridiculous considering the vast array of devices and browsers out there. In our case we're only using Duda as a static site. Our web app and authenticated sections are hosted elsewhere so the risk profile of our Duda site is quite limited, so for us it makes no sense that the support window of browsers would be this small, and there are just no settings to override this or control this or tweak this or anything.
Secondly, our user base is the general public. There's no real way for us to request that everyone update their browsers, especially not if the error says nothing more than "403 Forbidden". If it could be customised we could have some way of informing the user at least.
Has anyone else come across this and do you have any decent workarounds?
By the way Duda, there are much better ways to do web security. User agent is basically a sledge hammer. Just as one example, Content security policy is a much finer grained filtering mechanism, and there could also be a much better graceful degradation instead of throwing up a blanket "403 Forbidden".
Answers
-
Hi @Dinesh,
I've forwarded your feedback to our product team and I'll circle back with any news.
0 -
One of our clients is experiencing the same issue and they are almost at the point of wanting to cancel. Constant messages from customers on their socials saying that they get this same error on some Android devices.
0 -
One of my clients just contacted me about this error on their Duda site. After a google search, I found this thread. I'm shocked Duda would throw up a non-descript error for security. I had no idea my clients or my client's viewers could be getting messages like this with no explanation.
Why not throw up a message like with Internet Explorer?!
0 -
Oh, this is a big issue. Following this closely.
0 -
The first response to this post was from a Duda staff member saying this will be passed onto their Product team and will cycle back with any news. I still haven't heard a thing from Duda. Similarly, my support ticket was supposedly passed onto a QA team but I didn't hear back. It was just auto-closed by their system.
The lack of any coherent response from Duda to this issue, which clearly is impacting quite a few others, is certainly concerning.
0
