Troubleshooting Mr. Boyd

406 Not Acceptable Errors

Resolve mod_security blocks, WAF false positives, and content negotiation issues causing 406 HTTP responses.

What Is a 406 Error?

A 406 Not Acceptable error means the server cannot produce a response matching the criteria the client specified in the request's Accept headers. In practice, however, the overwhelming majority of 406 errors on shared hosting are caused by mod_security (a web application firewall) blocking the request.

Common Causes

  • mod_security false positive — the WAF flagged a legitimate request as malicious
  • Form submission blocked — certain words, SQL-like syntax, or special characters in form data trigger security rules
  • API/AJAX request rejected — request headers or body content matched a security pattern
  • Content negotiation mismatch — (rare) the server genuinely can't serve the requested content type

Identifying the Trigger

Check the Error Logs

mod_security logs which rule triggered the block. Check:

# Apache mod_security log
tail -50 /var/log/apache2/modsec_audit.log

# Or on cPanel
tail -50 /usr/local/apache/logs/modsec_audit.log

# Look for entries with your IP and the blocked URL
grep "406" /var/log/apache2/error.log

Identify the Rule ID

Each mod_security rule has a unique ID. The audit log will show something like id "950001". You need this ID to whitelist the rule.

Test Without mod_security

Temporarily disable mod_security for your site to confirm it's the cause (if your host allows it).

cPanel ModSecurity Configuration

If your host provides cPanel with ModSecurity tools:

  1. Go to cPanel → Security → ModSecurity
  2. You can disable ModSecurity for your entire domain (not recommended for production)
  3. Or review the blocked requests and whitelist specific rules

Whitelisting Rules via .htaccess

If you have access to modify .htaccess, you can disable specific mod_security rules:

# Disable a specific rule by ID
<IfModule mod_security2.c>
    SecRuleRemoveById 950001
    SecRuleRemoveById 950005
</IfModule>

# Disable mod_security for a specific URL path
<IfModule mod_security2.c>
    <LocationMatch "/api/submit">
        SecRuleEngine Off
    </LocationMatch>
</IfModule>

# Disable mod_security entirely for this directory (use with caution)
<IfModule mod_security2.c>
    SecRuleEngine Off
</IfModule>
Security Consideration

Disabling mod_security entirely removes an important security layer. Always prefer whitelisting specific rules by ID rather than turning the entire engine off. Only disable it for specific paths that need it.

API and AJAX Request 406 Errors

If your JavaScript AJAX calls are getting 406 responses:

  • Check that the Content-Type header matches what the server expects (e.g., application/json)
  • Avoid sending SQL-like keywords in plain text POST data — mod_security may flag them
  • Use JSON encoding for form data instead of URL-encoded format
  • Add proper CORS headers if the request is cross-origin
// Example: Send JSON instead of form data
fetch('/api/endpoint', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    },
    body: JSON.stringify({ key: 'value' })
});
Pro Tip

If you're consistently hitting mod_security issues on shared hosting, consider a VPS where you have full control over the WAF rules. With your own server, you can fine-tune ModSecurity or switch to alternatives like fail2ban + custom iptables rules.