Troubleshooting HTTP Request Integration 403 Errors

Last updated on 18th October 2025

If your HTTP Request integration is failing with a 403 Forbidden error, this usually indicates that the target server or a security service is blocking DeployHQ's requests. This guide will help you diagnose and resolve the issue.

Common Symptoms

  • Integration works when accessing the URL directly in your browser
  • Integration works on some servers/domains but not others
  • Deployment logs show: "Client error when delivering integration: the server responded with status 403"
  • No request appears in your server's access logs

Most Common Cause: Cloudflare WAF

If your domain uses Cloudflare, their Web Application Firewall (WAF) is the most common cause of 403 errors for automated requests.

How to Identify Cloudflare Blocking

  1. Check your deployment logs for the failed integration
  2. Test the webhook URL manually with curl: 
curl -v -X POST "https://your-domain.com/your-webhook-endpoint"
  1. If you see a Cloudflare block page in the response with "Sorry, you have been blocked", Cloudflare is the cause

Solution: Configure Cloudflare to Allow DeployHQ

Option 1: Create a WAF Exception Rule (Recommended)

  1. Log into your Cloudflare dashboard
  2. Select your domain
  3. Go to SecurityWAFCustom rules
  4. Create a new rule to allow requests to your webhook:
    • Field: URI Path
    • Operator: equals
    • Value: /your-webhook-endpoint (use your actual webhook path)
    • Action: Skip (select "All remaining custom rules" and "WAF Managed Rules")
  5. Save the rule

Option 2: Allowlist by User-Agent

Create a WAF rule that allows the DeployHQ user-agent:

  1. Go to SecurityWAFCustom rules
  2. Create a new rule:
    • Field: User Agent
    • Operator: equals
    • Value: DeployHQ Integration (Faraday)
    • Action: Skip (select "All remaining custom rules" and "WAF Managed Rules")
  3. Save the rule

Option 3: IP Allowlisting

If you prefer to allowlist by IP address, contact DeployHQ support to obtain our current outbound IP addresses, then add them to Cloudflare's IP Access Rules:

  1. Go to SecurityWAFTools
  2. Add DeployHQ's IP addresses to IP Access Rules
  3. Set action to "Allow"

Verify the Fix

After making changes in Cloudflare:

  1. Wait 1-2 minutes for propagation
  2. Run a new deployment
  3. The integration should work immediately

Other Security Services

If you're not using Cloudflare, similar security services may be blocking the requests:

WordPress Security Plugins

Popular plugins like Wordfence, iThemes Security, Sucuri, or All In One WP Security may block automated requests.

Solution:

  1. Check the plugin's firewall/blocking logs
  2. Look for blocked requests from DeployHQ's user-agent: DeployHQ Integration (Faraday)
  3. Add an exception or allowlist rule for:
    • The webhook endpoint path
    • DeployHQ's user-agent
    • DeployHQ's IP addresses (contact support for current IPs)

ModSecurity / Server-Level WAF

If your server uses ModSecurity or another WAF:

  1. Check your server's error logs (not just access logs) during deployment time
  2. Look for ModSecurity rule violations
  3. Add an exception for your webhook endpoint or DeployHQ's user-agent

Load Balancers / Reverse Proxies

Services like AWS ALB, Nginx reverse proxy, or Cloudflare Workers may have security rules:

  1. Check the load balancer or proxy configuration
  2. Look for rate limiting, IP restrictions, or user-agent filtering
  3. Add appropriate exceptions for DeployHQ

Diagnostic Steps

If you're still experiencing issues:

  1. Check deployment logs in DeployHQ for the exact error message
  2. Test the endpoint manually using curl to confirm accessibility: 
curl -v -X POST -H "User-Agent: DeployHQ Integration (Faraday)" "https://your-webhook-url"

  1. Check server logs during deployment time:

    • Apache/Nginx access logs
    • Apache/Nginx error logs
    • WAF/security plugin logs
    • Application logs

  2. Verify authentication if your webhook uses basic auth or API keys:

    • Confirm credentials are correct in the integration settings
    • Test with the same credentials manually

  3. Compare working vs. non-working domains if some integrations work but others don't:

    • Check for different security configurations
    • Compare Cloudflare/WAF rules between domains
    • Verify webhook endpoints are identical

Additional Information

DeployHQ Request Details

When DeployHQ makes HTTP Request integrations, it:

  • Uses the user-agent: DeployHQ Integration (Faraday)
  • Makes POST requests by default
  • Includes a signature header: DEPLOYHQ_SIGNATURE for payload verification
  • Times out after 15 seconds
  • Does not follow redirects

Still Having Issues?

If you've tried the above solutions and are still experiencing 403 errors:

  1. Collect the following information:

    • Deployment log showing the error
    • Server error logs from the time of the deployment
    • Any security service logs (Cloudflare Ray ID, WAF logs, etc.)
    • The webhook URL (you can redact sensitive auth tokens)

  2. Contact DeployHQ support with this information for further assistance

We can provide our current outbound IP addresses and help diagnose complex security configurations.