2 months ago
We're running a Next.js application on Railway. Facebook's Open Graph crawler is receiving HTTP 403 responses when scraping any URL on our custom domain. This blocks all link previews when sharing on Facebook, which is critical for our business (we're launching a campaign today).
What we've verified:
- Our application returns HTTP 200 for all requests, including requests with Facebook's user-agent (
facebookexternalhit/1.1) curl -A "facebookexternalhit/1.1" https://modalsnytt.smartavis.no/kampanje/dodvannreturns 200 with correct HTML- Facebook Sharing Debugger consistently reports 403 for ALL URLs on the domain — both new and existing paths
robots.txtexplicitly allowsfacebookexternalhit- The 403 is not from our application — it originates from the Fastly CDN layer (
x-railway-cdn-edge: fastly/*)
Details:
- Railway service:
smartavis-production.up.railway.app - Custom domain:
*.smartavis.no(CNAME →i0m2uqny.up.railway.app) - Test URL: https://modalsnytt.smartavis.no/kampanje/dodvann
- Facebook Debugger: https://developers.facebook.com/tools/debug/?q=https%3A%2F%2Fmodalsnytt.smartavis.no%2Fkampanje%2Fdodvann
Request: Please check if Fastly bot protection or WAF rules are blocking Meta's crawler IP ranges (AS32934). This affects Facebook, Instagram, WhatsApp, and Threads link previews for all our customers.
Attachments
3 Replies
Status changed to Awaiting Railway Response Railway • about 2 months ago
2 months ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • about 2 months ago
2 months ago
Hey, i think your 403 is not coming from your app. your curl test proves your app returns 200 just fine for facebookexternalhit.
the 403 is coming from the fastly cdn layer sitting in front of your app. you can see this in the response header x-railway-cdn-edge: fastly. that means the request is being blocked before it ever reaches your next.js app
2 months ago
Railways Fastly DDoS/WAF layer is blocking facebookexternalhit with 403. This appears to be the same class of false positive you've acknowledged before (Feb 2026 incident). We have no CDN toggle in our dashboard to work around this. Can you whitelist Facebook's crawler in the Fastly config for our domains?
18 days ago
We've traced this to Meta/Facebook's side. On our end, the request comes through and we respond with HTTP 200 — but Facebook's debugger reports a 403, which points to something happening after the response leaves us. Since the failure is on their end, it's not something we can fix from here. You'll want to raise this with Meta directly.
Status changed to Solved ray-chen • 18 days ago