I have a problem logging in to a subdomain using the Fetch API, I get a 403 error
All traffic goes through cloudflare proxies:
subdomain.name.com – CNAME set to another server (I don’t have access)
name.com – This is my server connected to Cloudflare.
My script from main page https://name.com:
document.addEventListener('DOMContentLoaded', async () => {
try {
const loginPageResponse = await fetch('https://subdomain.name.com/auth/login/', {
method: 'GET',
credentials: 'include' // Wymagane do przesyłania ciasteczek
});
const loginPageHtml = await loginPageResponse.text();
const parser = new DOMParser();
const doc = parser.parseFromString(loginPageHtml, 'text/html');
const csrfTokenElement = doc.querySelector('input[name="csrfmiddlewaretoken"]');
const csrfToken = csrfTokenElement.value;
const loginResponse = await fetch('https://subdomain.name.com/auth/login/', {
method: 'POST',
credentials: 'include',
body: new URLSearchParams({
next: '',
csrfmiddlewaretoken: csrfToken,
username: 'user',
password: 'pass',
})
});
if (loginResponse.ok) {
console.log('Log in');
} else {
console.error('Error login:', loginResponse);
const errorText = await loginResponse.text();
console.error('Error:', errorText);
}
} catch (error) {
console.error('err:', error.message);
}
});
Subdomain Headers
1. For request method GET (200 OK):
2. For request method OPTIONS (200 OK):
3. For request method Post (Error):
https://subdomain.name.com/auth/login/
Request Method:POST
Status Code:403 Forbidden
Remote Address: 0.0.0.0
Referrer Policy: strict-origin-when-cross-origin
Response Headers:
access-control-allow-credentials: true
access-control-allow-headers: Content-Type, Accept, X-Requested-With, Authorization, X-Custom-Header
access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS
access-control-allow-origin: https://name.com
alt-svc: h3=":443"; ma=86400
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 8fe475734814c063-WAW
content-encoding: zstd
content-language: pl
content-type: text/html; charset=utf-8
date: Tue, 07 Jan 2025 13:57:46 GMT
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true}
p3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
priority: u=1,i
report-to: {"group":"default","max_age":2592000,"endpoints":[{"url":"https://report.cdn.com/a/t/g"}],"include_subdomains":true}
server: cloudflare
set-cookie: csrftoken=Qtt3tcjt2mBhlUcFLrv65lckSIZ85pbu; Domain=subdomain.name.com; expires=Tue, 06 Jan 2026 13:57:46 GMT; Max-Age=31449600; Path=/; SameSite=none; Secure
strict-transport-security: max-age=31536000; includeSubDomains; preload
vary: Accept-Encoding
vary: Accept-Language, Cookie
via: 1.1 google
x-robots-tag: noindex, nofollow
Request Headers:
:authority: subdomain.name.com
:method: POST
:path: /auth/login/
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
accept-encoding: gzip, deflate, br, zstd
accept-language: en-EN,en;q=0.9
content-length: 118
content-type: text/html; charset=utf-8
cookie: test
origin: https://name.com
priority: u=1, i
referer: https://name.com/
sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Results:
Error login: Response {type: 'cors', url: 'https://subdomain.name.com/auth/login/', redirected: false, status: 403, ok: false, …}