403 on local API with "Allow other applications..." enabled
57 views
Skip to first unread message
Jakub D.
Jul 3, 2025, 4:46:02 PMJul 3
to zotero-dev
I have seen mentions on this in a couple of places but I thought it would be good to have a dedicated thread.
I was interested in trying out the Local API, but it seems to not be working for me in Zotero 7.0.19 I have enabled "Allow other applications on this computer to communicate with Zotero" in the advanced settings and restarted Zotero, but this didn't change anything.
For example, `curl "http://localhost:23119/api/"` gives "The remote server returned an error: (403) Forbidden." Here's the debug output:
(5)(+0001180): GET /api/ HTTP/1.1 user-agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.22621.4391 host: localhost:23119 connection: Keep-Alive
(5)(+0000000): HTTP/1.0 403 Forbidden X-Zotero-Version: 7.0.19 X-Zotero-Connector-API-Version: 2 Content-Type: text/plain Request not allowed
Dan Stillman
Jul 3, 2025, 5:00:27 PMJul 3
to zoter...@googlegroups.com
On 7/3/25 2:56 PM, Jakub D. wrote:
> For example, `curl "http://localhost:23119/api/"` gives "The remote
> server returned an error: (403) Forbidden." Here's the debug output:
>
> (5)(+0001180): GET /api/ HTTP/1.1 user-agent: Mozilla/5.0 (Windows NT;
> Windows NT 10.0; en-GB) WindowsPowerShell/5.1.22621.4391 host:
> localhost:23119 connection: Keep-Alive
>
> (5)(+0000000): HTTP/1.0 403 Forbidden X-Zotero-Version: 7.0.19
> X-Zotero-Connector-API-Version: 2 Content-Type: text/plain Request not
> allowed
>
User-Agent strings beginning with "Mozilla/" aren't allowed unless you
> For example, `curl "http://localhost:23119/api/"` gives "The remote
> server returned an error: (403) Forbidden." Here's the debug output:
>
> (5)(+0001180): GET /api/ HTTP/1.1 user-agent: Mozilla/5.0 (Windows NT;
> Windows NT 10.0; en-GB) WindowsPowerShell/5.1.22621.4391 host:
> localhost:23119 connection: Keep-Alive
>
> (5)(+0000000): HTTP/1.0 403 Forbidden X-Zotero-Version: 7.0.19
> X-Zotero-Connector-API-Version: 2 Content-Type: text/plain Request not
> allowed
>
add a 'zotero-allowed-request: 1' header. This was originally a somewhat
ungraceful protection against DNS rebinding attacks and is likely either
unnecessary with current browser defenses or better replaced by a
different technique, but we'd have to investigate further before
changing it.
(Note that you're using PowerShell's curl alias, which I guess uses a
"Mozilla/" UA string. That's not the real curl UA string.)
Jakub D.
Jul 3, 2025, 5:05:45 PMJul 3
to zotero-dev
Thank you so much, that solves it! I didn't anticipate PowerShell replacing curl with its own alias, so the UA being browser-like didn't cross my mind. The request is indeed successful when done through Python's requests library. Thanks for your help.
Reply all
Reply to author
Forward
0 new messages