Intermittent HTTP 403 Forbidden error calling same Ajax code

Question

I use my JavaScript client (say, foo.js ) to call my php Ajax code in the server (say, bar.php ). This works perfectly most of the time, but once in a while I get back HTTP 403 (Forbidden) instead of the usual 200 (OK). This happens using exactly the same code, same parameters, etc.

Why is that happening? How can I fix it? Is there a chance it's happening due to some action inside my bar.php code? How can I log the reason for it?

The foo.js client:

function postAjax(url, queryString, callback) {
  var x = new XMLHttpRequest();
  x.onreadystatechange = function() {
    if (x.readyState === 4) {  // 4=after HTTP response content finished loading
      if (x.status === 200) callback(true, x.responseText);
      else callback(false, x.status);
    }
  };
  x.open('POST', url, true);
  x.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
  x.setRequestHeader('Content-type','application/x-www-form-urlencoded');
  x.send(queryString);
}

var params = 'aaa=xxx&bbb=yyy';
postAjax('bar.php', params, myCallback);

function myCallback(ajaxStatus, ajaxResponse) { /* do something */ }

The bar.php server:

<?php
header('Content-Type: text/plain');
$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
if ($isAjax) {
  /* Do something with $_POST['aaa'] and $_POST['bbb'] */
  echo 'Success';
}
else {
  echo 'Error';
}
?>

New info appended:

Browser Console (in this example Firefox):

When all is good (most of the time):
+ POST http://example.com/bar.php 200 OK ZZZms

When error (eg, after the 7th time the last I tried):
+ POST http://example.com/bar.php 403 Forbidden X ZZZms
and I get back 403 in ajaxResponse, which comes from x.status

Expanding the '+' in the Firefox console, I see the response:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /bar.php
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Looking at the Apache Raw Accwss Log (thru cPanel), I see a similar POST row for all, with the status changed from 200 to 404 in the 7th test:

<my IP> - - [17/Jan/2015:09:55:50 -0500] "POST /bar.php HTTP/1.1" 404 - "<my test url>" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"

"You don't have permission to access" ???
How come I have permission 6 times but not the 7th time?

Looking at the Apache Error Log (thru cPanel) for the same time, I see the row:

[Sat Jan 17 09:55:50 2015] [error] [client <my IP>] File does not exist: /home/<my user>/public_html/403.shtml, referer: <my test url>

Answer 1

Did some thorough research. It's... mod_security !!!

Look at http://www.opensourceforu.com/2011/08/securing-apache-part-10-mod_security/ , search for 'SecFilterScanPOST'. My 'aaa' posted variable serves as some random token, and once in a while had a value filtered by this mod_security mechanism.

This was fixed following a chat with the host support. Initially I thought I could solve it myself by editing some .htaccess file(s) appropriately, but eventually it appeared I needed their assistance.