Hi everyone,
After devops team enabled HSTS yesterday, my application has not been able to call service action.
The error is :The remote server returned an error: (403) Forbidden.
Anyone can provide a solution?
Regards,
Zhou Shuai
Hi Zhou,
Have you applied the settings in Service Center (see in detail here)?
Hope it helps.
Cheers,
João
Hi Joao,
What settings are you referring? the setting I mentioned is configured in lifetime.
For transversal changes, like the one you are referring, to be effectively applied, you need to apply those settings per environment.
If you go to the Service Center of the environment you are testing and apply those settings (as mentioned on the documentation and screenshot above) they will then be applied and then the HSTS policy will be indeed in place. Until then these settings are pending.
As you can see in the documentation, Service Actions fall into Module Settings that need to be applied:
João Marques wrote:
Sorry I dont understand if your answer is related to my issue.
When you toggled the HSTS in LifeTime you think you activated it but instead you requested the activation it but it's not yet ON.
In order for the HSTS to be activated, you need to Apply settings in each environment.
So you need to go to each environment and:
a) Create a solution with everything and publish everything;
b) Create a solution with all eSpaces and apply settings.
To do this, on Service Center, you create a solution
Then, you add all the modules (use of *) like on the image below and press Associate:
And once you have them all, you pess the Apply Settings:
Once you do that, now all your modules will have the latest settings, including the HSTS you activated.
Hope now it is more clear.
I'm not sure, but this could also be related to the same bug that was reported here.
Is your module associated with a Deployment Zone for which Use HTTPS for internal communications property is disabled?
In this case, it could be that having HSTS enabled and HTTPS for internal communications disabled is resulting in the same bug. Service Actions are supposed to always accept http requests regardless of any configurations.
I will report this one to OutSystems too, so they can analyze it further.
Nordin
Nordin Ahdi wrote:
Hi Nordin,
No.
But my issue is same as another post you shared.
Enabling the "Use HTTPS for internal communications" property worked for me
Thanks
The issue happened because HSTS forces all communication to use HTTPS. Your service calls were likely still using HTTP, causing the 403 error. Enabling the “Use HTTPS for internal communications” property ensures all internal requests use HTTPS, which fixes the issue. This setting aligns with HSTS requirements and resolves the access problem. Hope it helps!
Hi Olivia,
The post you are replying to is almost 5 years old. No-one will be waiting for an answer after such a long time. Please check the dates of posts before replying, thanks! I'll close this post now.