Zoom Apps Configuration
Our app is running on node.js backend and a combination of VanillaJS/AngularJS/React microfrontends. The only relevant code here is our node.js backend.
Error Description
Since recently, all our requests to Zoom API fail with “403 Forbidden” response code. In the response body, we see the following:
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.
Cloudflare Ray ID: 7a7347446afdbb85 • Your IP: Click to reveal • Performance & security by Cloudflare
For example, this response we got to a request to api/v2/users/me/meetings. Same with all other requests to Zoom API.
We make these requests from our node.js backend. It has been working fine for more than a year, and now it suddenly started to fail. We didn’t change anything that we think could be related.
The issue affects both our Staging and Production environments. It affects users from different countries.
This is an urgent issue as it breaks key features of our system,
How To Reproduce
Open our app, try to register as a new user.
Or try to schedule a meeting as an existing user.
I pinged your team for more information on the team chat channel that we have. I’ll use that to ping our service engineering team to investigate the issue.
@MaxM Update: today the issue can no longer be reproduced. Everything works fine. Still, we would appreciate some insight why this happened and how can we avoid this in the future
Great! I’m glad to hear that everything is working as expected. Our team whitelisted your IP address and found the root cause. It seems that our rules blocked it because it detected a CVE-2018-14773 anomaly.
Just to be safe, I would confirm that your application is not using the X-Original-URL and X-Rewrite-URL request headers.
You shouldn’t run into this issue going forward but please reach out if you encounter any other questions or issues.
It’s still strange that we got blacklisted automatically, but being whitelisted should mean we are safe for the future, I hope.
I’ve checked the code and didn’t find the headers they mentioned. We are using a custom “x-initial-origin” header (that I introduced for overcoming some CORS issues specific to our system); maybe it could have triggered the safety alarm.
Hi @MaxM,
We are receiving these errors as well. We’ve checked the headers and tried clearing out all that are mentioned in this post. We are still getting blocked. Here’s one of our Cloudflare Ray IDs: 7a7cd16b8d77c64f
We have a few public IP address ranges, can we get those whitelisted?
Thanks!
Apologies on the delay in seeing your issue. I’m glad to hear that it is resolved! If you would like me to investigate this further please respond to the initial post you created and I’ll follow up with you.