The Movie Database Support
Support → API Support
Can't access API anymore with Vercel proxy : Error 403 - Host not permitted
posted by dualshoteSTAFFMOD on November 20, 2024 at 4:36 PM
Hello,
Since yesterday, my production application no longer works.
I use Vercel's serverless functions as a proxy for my front-end requests to the TMDB API. This function adds the Bearer token to http headers so that users don't see my API token.
// Vercel serverless function to proxy TMDB API requests
import { createProxyMiddleware } from 'http-proxy-middleware';
import type { Request, Response } from 'express';
const apiProxy = createProxyMiddleware({
target: process.env['TMDB_API_URL'],
changeOrigin: true,
pathRewrite: {
'^/api': '',
},
onProxyReq: proxyReq => {
proxyReq.setHeader(
'Authorization',
`Bearer ${process.env['TMDB_API_TOKEN']}`
);
},
});
export default async function (req: Request<any>, res: Response<any>) {
return apiProxy(req, res, () => ({}));
}
Until yesterday, everything had been running smoothly for over 8 months.
Error logs returned by the proxy function :
[Proxy Response] {
statusCode: 403,
path: '/configuration',
headers: {
'content-type': 'text/plain',
'transfer-encoding': 'chunked',
connection: 'close',
date: 'Wed, 20 Nov 2024 08:34:23 GMT',
server: 'openresty',
'content-encoding': 'gzip',
vary: 'Accept-Encoding,accept-encoding, Origin',
'x-cache': 'Error from cloudfront',
via: '1.1 b09c8a20b29053a362f3c1085a0f8990.cloudfront.net (CloudFront)',
'x-amz-cf-pop': 'MRS52-P5',
'alt-svc': 'h3=":443"; ma=86400',
'x-amz-cf-id': 'wuVqwl7l58qHOjPJgJOfAgVIy7IMNAVgCnvhFOui9-kgrlbTQO3L9Q=='
}
}
There is a possibility that my Vercel host has been blocked ?
When i try to use TMDB API with postman or with an other proxy there is no problem.
Thanks for helping.
Reply by Travis Bell
on November 21, 2024 at 12:07 AM
Hi @dualshote,
I would assume this has to do with some security work we've been doing over the past week or so. We found an open issue where we were not enforcing the allowed host values, which could let 3rd parties masquerade as if they were the ones running
api.themoviedb.orgwith a different domain.The only way you'd be tripping over this change is if that is precisely what this proxy is inadvertently doing. Are you able to set the
X-Forwarded-Hostheader by any chance? Set it toapi.themoviedb.org, of course.Reply by JoshuaNitschke
on November 21, 2024 at 1:23 AM
Thanks, I had the same issue and adding the header fixed it for me.
Reply by dualshote
on November 21, 2024 at 3:25 AM
Hi @travisbell ,
The problem is now fixed by adding the header "X-Forwarded-Host" to "api.themoviedb.org".
https://www.movie-catalog.io/ is now online ;)
Thanks a lot for your help !
Reply by JoshuaNitschke
on November 21, 2024 at 3:36 AM
@travisbell in my app, we are still seeing some previous calls that were made earlier today without the X-Forward-Host still error when we execute with the new header being passed. Is there some caching on TMDB API that might explain that?