This post is about an experience of mine on fixing a HTTP 406 Not Acceptable error seen on one of my page.
Just got back from a business trip and opened my computer as usual to start to monitor my website statistics. But when I opened the page on showing real time page views, it shows nothing but zero. So I pressed F12 to bring up the developer tool to check on what's going on. The logic of loading the real time page view is backed by AJAX call. In the developer tool console, I see that the rAJAX request gets HTTP 406 Not Acceptable error. And in the network tab, see similar result.
This confuses me and worries me since I did see this page working last night and it sudden;y failed to work now. Is my site hacked or any change on browser update to restrict security policy?
I started the debugging process by searching online about what HTTP 406 code is. Based on online resources, it has below symptons.
-
The user agent may be localized to a particular locale or language that the server cannot provide. For example, a user agent may use the Accept-Languagerequest header to specify a valid language of French (Accept-Language: fr), but if the server cannot serve a response in French, a 406 code may be the only proper response.
-
The user agent may be requesting a specific type of content to be returned by the server. These content types, commonly know as MIME types, define things like plain text (text/plain), PNG images (image/png), mp4 videos (video/mp4), and so forth. Thus, the client may include the Accept header in the request and define an explicit MIME type that should be provided by the server (e.g. Accept: application/xml). If the server is unable to respond with the matching content type that was requested a 406 Not Acceptable response may be necessary.
So I started to check what request headers the browser was sending when the error occurred and see below.
At first glance, it seems everything is OK. Then I tried to call the same page without using AJAX, and luckily it worked. This means that the site should not be hacked. It has to relate to some recent change in server side security restriction. I continued to compare the difference of the request headers when calling through AJAX and calling normally.
The biggest difference is the Content-Type header. In the error case, the Content-Type is Application/x-www-form-urlencoded, it is set in our application code before sending the AJAX request. Is this a valid content type? After searching a while, it seems that this content type is invalid. The valid one is application/x-www-form-urlencoded. Post updating the application code and reloaded the page, see below request headers.
Now the page can be accessed correctly without HTTP 406 error anymore.
It seems our service provider has enhanced their security checks on incoming requests. Hope that this experience would be helpful to those who experiences the same error. You would follow similar steps to debug your problem in case you encountered it.
406 error