My app encounters 403 Forbidden errors whenever I attempt to POST to admin-ajax.php. We're seeing the issue specifically when submitting results with the Ninjaform Wordpress Plugin while logged in, though I suspect this isn't local to that single plugin.

The Ninjaforms folks have advised that it might be a ModSecurity issue, but I'm not seeing great documentation for (a) if that exists on Heroku and (b) how to disable it in Nginx.

Given all that, I'm going to presume at a minimum that other people will encounter this kind of error with this repo (which is awesome, btw!) and hopefully have a resolution here. Questions on my mind:

• Is this an issue with my install?
• ... or with the repository?
• How does one go about fixing this for Nginx?
• ... on Heroku?

So many questions! Appreciate all the help in advance.

Surprise surprise, I solved it myself!

For posterity's sake, it looks like some (in this case, Ninjaforms) plugins refer to https admin-ajax, hard coded. If you're testing your site via HTTP this will create the error. The solution is to always run the site securely.

If you're running without a custom domain name you can simply just point your browser at https://[your-app].herokuapp.com. Otherwise you'll need an SSL Endpoint.

You can enable your site to force a redirect to HTTPS in the nginx.rewrites.conf included in the repo.