After uploading your website or application to the Plesk server, you may see a 403 error or a 500.30 when opening the site publicly.
Your application may work in local development but generates errors once you publish it to the live server.
This is likely caused by the Web Application Firewall (WAF).
The WAF is an extensive set of security rules that protects the server and your account from malicious code or security vulnerabilities.
Some examples that the WAF will block are SQL Injection issues, PUT and DELETE commands, some insecure authentication methods, etc.
Disabling the WAF is not recommended, and any sites not protected by the WAF are considered vulnerable and a violation of our Terms and Conditions.
Instead, diagnosing which rules are causing your code to fail would be best.
You can do this by reviewing the Logs in Plesk, which will display all the errors your site generates.
You can also switch the WAF to Detect Only mode to assist in diagnosing the firewall.
Detecting Web Application Firewall Rule Triggers
For initial publishing and testing, you might want to turn the WAF into Detect only to view the logs and fine-tune the firewall as needed.
You may need to allow specific firewall rules or update your code accordingly.
- From the Dashboard tab under Websites & Domains, look for the Security section and click on the Web Application Firewall icon.
- For now, set to Detection Only.
- Click OK to save your settings.
IMPORTANT
For website security, you should switch this back to On once you have tested your app and configured the security rules as needed.
Leaving this as Off or Detect Only will leave your site vulnerable to attacks.
There is a link on this screen that will show you the logs for the firewall and rules that are stopping your application from working.
WARNING: Any hosting accounts that continue to leave the Web Application Firewall disabled for extended periods will be suspended automatically.
