Spaces Returning Status 403 for Requests Made After Page Loads

As of now I have CORS configured for my Spaces bucket to allow origin: * , method GET, and allowed-headers: *.

I also have my Spaces keys set up.

I’m running a Django project on the App-Platform. I have the correct AWS S3 settings configured to connect to my Spaces bucket.

When my application initially loads in a browser all resources called for from Spaces are returned with status 200 and referrer policy: same-origin with no referer in request headers.

However, after initial page load, when css or javascript calls for a resource Spaces returns status 403 with referrer policy: strict-origin-when-cross-origin and a referer:

I’ve tried different CORS settings in my Spaces, and even set up Django-Cors-Headers in my project. Nothing has worked, and I’m pretty confused about why this is happening.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Site Moderator
Site Moderator badge
October 18, 2023

I’ve personally not experienced this issue, but here is what I’ll check in case this happens:

  1. Confirm CORS Configuration in Spaces: Double-check your CORS settings in your Spaces bucket. Ensure that the CORS rules are correctly set to allow the necessary origins, methods, and headers. It’s a good practice to configure more specific CORS settings rather than using a wildcard (*) for security reasons.

  2. Inspect Request Headers: When the issue occurs, take a close look at the request headers, including the Referer header. You mentioned that the Referer header is present with a value of “” Ensure that there are no specific configurations or logic in your Django app that could be causing this header to be added.

  3. Django Middleware and Security: Check if you have any Django middleware or security settings that could be affecting the request headers. Some middleware may modify or add headers, potentially causing CORS issues.

  4. Cache and Cookies: Be aware that some browsers might cache CORS-related information. Clear your browser cache or try accessing the resources in an incognito/private browsing window to rule out any local caching issues. Additionally, check for any cookies being set, as they can affect CORS.

  5. Console Errors and Logging: Inspect your browser’s console for any error messages or warnings related to CORS. Also, enable detailed logging in your Django application to capture any relevant information regarding the requests and responses.

  6. CORS Pre-flight Requests: For some types of cross-origin requests (e.g., with certain HTTP methods or headers), the browser sends a pre-flight CORS request (an HTTP OPTIONS request) before making the actual request. Make sure that your CORS settings in Spaces allow these pre-flight requests by including the OPTIONS HTTP method in your CORS configuration.

  7. Test with a Specific Origin: Instead of using a wildcard (*), try specifying the exact origin in your CORS configuration. For example, if your Django app is hosted at “,” set the CORS configuration in Spaces to allow only that specific origin.

  8. Update Browser and Libraries: Ensure that your browser is up to date. Sometimes, outdated browsers may not handle CORS headers correctly. Similarly, update any relevant client libraries (e.g., AWS SDK for JavaScript).

Hope that this helps!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel