# Fixing 403 Forbidden on Node.js v18+

**Published by:** [detoo](https://paragraph.com/@detoo-2/)
**Published on:** 2024-08-14
**URL:** https://paragraph.com/@detoo-2/fixing-403-forbidden-on-node-js-v18

## Content

It was quite annoying that, after upgrading node.js from v16 to v20, one of my old scripts stopped working and was throwing AxiosError: Request failed with status code 403. I knew it was the node version because, as soon as I switch back to node v16, the problem disappears. After hours of debugging, it turns out to be the term !CAMELLIA (i.e. don’t use Camellia-based algorithm) in node’s default cipher list, probably introduced after v18. It wasn’t clear to me why the remote endpoint requires such algorithm, but as soon as I remove the term everything was working again.const agent = new https.Agent({ // Note it is almost the same as node v20's default cipher list except without `!CAMELLIA` ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP' }) // Override the http.agent with ours axios.post("https://the-picky-endpoint.com", {}, { httpsAgent: agent }) Finally! Onwards!

## Publication Information

- [detoo](https://paragraph.com/@detoo-2/): Publication homepage
- [All Posts](https://paragraph.com/@detoo-2/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@detoo-2): Subscribe to updates
- [Twitter](https://twitter.com/Detoowang): Follow on Twitter