PEPPOL 403 Forbidden Problem Solved

The PEPPOL test server at api.ixordocs-stg.com requires the “User-Agent” header field to be present. 

For example, a GET request to /v1/peppol/status  is successful if the User-Agent header is present, and the returned response is:

HTTP/1.1 200 OK
Date: Thu, 09 May 2024 12:28:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 42
Connection: keep-alive
x-amzn-RequestId: ****
access-control-allow-origin: *
x-amzn-Remapped-content-length: 42
x-amz-apigw-id: ****
etag: ****
x-powered-by: Express
X-Amzn-Trace-Id: ****
 
Ixordocs 3.0 Peppol API is up and running!Ixordocs 3.0 Peppol API is up and running!

If no User-Agent header is present, then the response is

HTTP/1.1 403 Forbidden
Date: Thu, 09 May 2024 12:29:28 GMT
Content-Type: application/json
Content-Length: 24
Connection: keep-alive
x-amzn-RequestId: ****
x-amzn-ErrorType: ForbiddenException
x-amz-apigw-id: ****
 
{"message":"Forbidden"}

I would like to suggest that servers should NOT fail requests for the addition or omission of HTTP headers that really don’t matter. If the software developers of the server-side consider User-Agent to be important and required, then the error message should indicate that a User-Agent is required. Don’t reply with misleading error messages. A “403 Forbidden” indicates something wrong with the access token passed in the Authorization header. You should instead reply with another 4xx status code, and the body of the response should indicate “Missing User-Agent header”.

If servers were properly documented and implemented, then systems wouldn’t be brittle and breaking all the time. If error messages were useful, not-misleading, and non-ambiguous, then developers could spend far less time (and money) solving problems.