SuiteCRM is a popular Open Source CRM platform. It uses PHP at its core for backend (server side) tasks. Given the flexibility of Apache and Nginx as web servers, and the number of ways PHP can be configured, it’s easy to run into trouble, as I did.
If you are experiencing issues with 403 (“Forbidden” or “Access denied”) errors with SuiteCRM, in particular for URLs beginning with /api/graphql, there are a couple of things you could check:
1. The session name
SuiteCRM, up to at least version 8.4.0 makes assumptions about the PHP session name. The default setting is PHPSESSID. I have always changed this for all instances of PHP I have configured, and I typically change it for every PHP-FPM pool as well.
Make sure the PHP setting session.name is configured as "PHPSESSID" (sans quotes)
2. The rewrite base
If you’re using Apache for your SuiteCRM environment, make sure you check the RewriteBase directive located in the .htaccess file in the public/legacy folder of your SuiteCRM installation. For most normal situations, this should be /legacy/ and nothing else.
(Image courtesy of unDraw)