403 Error after Mautic 3.3.5 update

I have this 403 error after updating Mautic to the minor version 3.3.5

How can I fix it? I cannot access Mautic anymore

Hi there,

Please check your htaccess file did not have any changes which you require for your hosting. The update made a change to this file, so if your hosting environment has some settings customised in the file, you may need to review and update accordingly.

thanks for your reply.

this is my htaccess, I don’t think there is any code of my hosting:

# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
#DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Set Authorization header for OAuth1a for when php is running under fcgi
    RewriteCond %{HTTP:Authorization} .+
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Determine the RewriteBase automatically and set it as environment variable.
    # If you are using Apache aliases to do mass virtual hosting or installed the
    # project in a subdirectory, the base path will be prepended to allow proper
    # resolution of the app.php file and to redirect to the correct URI. It will
    # work in environments without path prefix as well, providing a safe, one-size
    # fits all solution. But as you do not need it in this case, you can comment
    # the following 2 lines to eliminate the overhead.
    RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
    RewriteRule ^(.*) - [E=BASE:%1]

    # Redirect to URI without front controller to prevent duplicate content
    # (with and without `/app.php`). Only do this redirect on the initial
    # rewrite by Apache and not on subsequent cycles. Otherwise we would get an
    # endless redirect loop (request -> rewrite to front controller ->
    # redirect -> request -> ...).
    # So in case you get a "too many redirects" error or you always get redirected
    # to the start page because your Apache does not expose the REDIRECT_STATUS
    # environment variable, you have 2 choices:
    # - disable this feature by commenting the following 2 lines or
    # - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
    #   following RewriteCond (best solution)
    RewriteCond %{ENV:REDIRECT_STATUS} ^$
    RewriteRule ^index\.php(/(.*)|$) %{ENV:BASE}/$2 [R=301,L]

    # If the requested filename exists, simply serve it.
    # We only want to let Apache serve files and not directories.
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule .? - [L]

    # Rewrite all other queries to the front controller.
    RewriteRule .? %{ENV:BASE}/index.php [L]

<IfModule !mod_rewrite.c>
    <IfModule mod_alias.c>
        # When mod_rewrite is not available, we instruct a temporary redirect of
        # the start page to the front controller explicitly so that the website
        # and the generated links can still be used.
        RedirectMatch 302 ^(?!/(index\.php|index_dev\.php|app|addons|plugins|media|upgrade))(/(.*))$ /index.php$2
        # RedirectTemp cannot be used instead

<IfModule mod_php5.c>
    # @link https://github.com/mautic/mautic/issues/1504
    php_value always_populate_raw_post_data -1

<IfModule mod_deflate.c>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
        AddOutputFilterByType DEFLATE application/x-font
        AddOutputFilterByType DEFLATE application/x-font-opentype
        AddOutputFilterByType DEFLATE application/x-font-otf
        AddOutputFilterByType DEFLATE application/x-font-truetype
        AddOutputFilterByType DEFLATE application/x-font-ttf
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE font/opentype
        AddOutputFilterByType DEFLATE font/otf
        AddOutputFilterByType DEFLATE font/ttf
        AddOutputFilterByType DEFLATE image/svg+xml
        AddOutputFilterByType DEFLATE image/x-icon
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/javascript
        # Do not enable compression for file types that could contain secrets
        #AddOutputFilterByType DEFLATE text/html
        #AddOutputFilterByType DEFLATE text/plain
        #AddOutputFilterByType DEFLATE text/xml
        #AddOutputFilterByType DEFLATE application/xhtml+xml
        #AddOutputFilterByType DEFLATE application/xml
        #AddOutputFilterByType DEFLATE application/json
        <IfModule mod_setenvif.c>
            <IfModule mod_header.c>
                # Remove browser bugs (only needed for really old browsers)
                BrowserMatch ^Mozilla/4 gzip-only-text/html
                BrowserMatch ^Mozilla/4\.0[678] no-gzip
                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
                Header append Vary User-Agent

# Apache 2.4+
<IfModule authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Require all denied

    # Deny access via HTTP requests to composer files.
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Require all denied

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
        Require all granted

# Fallback for Apache < 2.4
<IfModule !authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Order deny,allow
        Deny from all

    # Deny access via HTTP requests to composer files
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Order deny,allow
        Deny from all

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
        Order allow,deny
        Allow from all

In the htaccess try and disable these lines

    <FilesMatch "\.php$">
        Require all denied

Let us know if this helps.


Linking to GitHub issue:


yes, it seems it is working now, thanks!


@raramuridesign - it helped, it worked. Thank you very much. :hugs:

1 Like

That fixed it.

1 Like

@raramuridesign, Thank you so much. I thought I had read every single idea on the internet to fix this and you finally gave me the right advice. Thank you so much for sharing!

1 Like


I installed the mautic with Softaculous Apps Installer (clean subfolder install)

I had 403 error when i tried to activate the API. I tried everything written here + forum without success.

I fixed it by simply disabling “ModSecurity” on Cpanel which solve the issue directly.

I put back the original htaccess, even i was in “subfolder” configuration.

Here is my actual HTACCESS :

I hope this post will help people.

I tried the same and it’s still not working, anyone has other idea please ?

… is your Mautic installed in a sub directory? Then you need to edit your .htaccess.