Tip - Handling HTTP 403 Forbidden when querying the Search REST Service using the PostQuery method

 Applies to: SharePoint 2013

This post is a continuation to my last one describing how to POST a search request to the postquery method in the Search REST API in SharePoint 2013.

When posting the request, you get a HTTP 403 Forbidden back in response from the Search service with an error message stating “The security validation for this page is invalid and might be corrupted. Please use your web browser's Back button to try your operation again.

The reason for getting the 403 Forbidden status is mainly because you are missing an important header in your request which is the X-RequestDigest header.

 So what is the X-RequestDigest header all about?

This header contains an essential piece of information known as the form digest. The form digest is an object that is inserted into a page by SharePoint and is used to validate client requests. Validation of client requests is specific to a user, a site and time-frame.

SharePoint relies on the form digest as a form of security validation that helps prevent replay attacks wherein users may be tricked into posting data to the server.

Where do I get the form digest value to include in my request?

As described on this page on MSDN, you can retrieve this value by making a POST request with an empty body to http://site/_api/contextinfo and extracting the value of the “d:FormDigestValue” node in the XML that the contextinfo endpoint returns.

However, I have also noticed that issuing an empty body request to the postquery method itself in the Search Service endpoint at http://site/_api/search/postquery does return the form digest value as a header within the response. So, you can first issue an empty request to postquery, extract the X-RequestDigest header value from the response and use that in subsequent requests.