Http Responding 403 Forbiden

I have
public function reciveNotification()
and it is alowded as following

When i do GET Request it working good but by POST request i am facing to 403 Forbiden
what am i doing wrong?
HTTP/1.1 200 OK
Date: Wed, 24 Apr 2019 11:06:43 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8

HTTP/1.1 403 Forbidden
Date: Wed, 24 Apr 2019 11:05:52 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 836
Content-Type: text/html; charset=UTF-8

Do you by any accident get some error about a CSRF token missing or being invalid?

Hallo ,
As u can see , i just get forbidden error 403

Yes, the headers show you a 403, but check the body of the response, it should contain more clues as to why you get the 403.

i do try -v option of curl and the resulte is :

< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Date: Thu, 25 Apr 2019 06:04:41 GMT
Date: Thu, 25 Apr 2019 06:04:41 GMT
< Server: Apache/2.4.29 (Ubuntu)
Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 836
Content-Length: 836
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8


  • Excess found in a non pipelined read: excess = 836 url = /path to url/ (zero-length body)
  • Connection #0 to host urlto my website left intact

Then it seems like something might be wrong with your server config itself (and not your CakePHP app).
If CakePHP gives an error (unless you have it running in production mode) it should result in a big fat error screen.

I have tried to turn off debug and i got

Missing CSRF token cookie

well, then the solution is clear as day :slight_smile:
Send the csrfToken cookie with your request as well (or set the X-CSRF-Token header if using something like ajax).

thanks but the problem is that, it is a callback action from API. and i can not do that. i need to deactivate it for this action i tried to add following function to my controller
public function beforeFilter(Event $event)
but no success

How do you mean callback action from API?

there is a program from othere company make this POST Request and the can not send token

hm… I see…

well, according to the cookbook, you are using the right code… so it must be going wrong somewhere else…