Vtiger Illegal Request error: How to Solved it

To improve vtiger’s security, since Vtiger 6.x  a new validation was added to avoid allowing remote HTTP connections to the CRM. This validation, which adds a csrf security protection level, has caused that a lot of vtiger users got this error message:

{“success”:false,”error”:{“code”:”Illegal request”,”message”:”Illegal request”}}

What ‘Vtiger Illegal Request Error ‘ Means?

The error message means that the URL in the browser does not match the URL in the settings file of Vtiger. If you go to your Vtiger folder and open up the config.inc.php you will see a variable like this:

$site_URL = ‘http://www.example.com/vtigercrm/’;

If you type the same URL in your browser, you will successfully connect to your CRM. But if you type in the IP address for the same address you will hit:

{“success”:false,”error”:{“code”:”Illegal request”,”message”:”Illegal request”}}

How to solved Vtiger Illegal Request Error?

If you keep facing this error you have at least three options:

  • Update the config.inc.php file a complete the $site_URL variable with the URL you most frequently use to access your CRM.
  • Remove the validation altogether (Not recommended)
  • Add a list of known requested address to allow you to reach your CRM from more than one URL. (Recommended)

To add more URLs options  you need to edit the file located at: vti ger CRM/includes/HTTP/Request.php Around line 207 you will find the function validateReferer(). In this function you will need to replace:

if ((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');


$site_ALT_URL = 'http://www.one_more_url.com/vtigecrm';

if ((((stripos($_SERVER['HTTP_REFERER'], $site_URL) !== 0) || (stripos($_SERVER['HTTP_REFERER'], $site_ALT_URL) !== 0))) && ($this->get('module') != 'Install')) {
throw new Exception('Illegal request');

With this small change, you have allowed one extra URL to connect to your CRM. If you need to add more than one URL, it would be probably a good idea to have and the array of allowed URL and change the function accordingly.

Vtiger ebooks