As of ~June 2026, Client.Login() (the local reverse-proxy to login.ah.nl) no
longer works: AH's bot protection returns 403 Access Denied to requests from
Go's default net/http client, so the login page never loads through the proxy
and the OAuth code is never obtained.
Reproduce
Proxying GET https://login.ah.nl/secure/oauth/authorize?client_id=appie&redirect_uri=appie://login-exit&response_type=code
through the httputil.ReverseProxy in login.go returns:
HTTP/1.1 403
<HTML><HEAD><TITLE>Access Denied</TITLE></HEAD>
<BODY><H1>Access Denied</H1><P>Reference #0.xxxxxxxx.xxxxxxxxxx.xxxxxxx</P></BODY></HTML>
(WAF block page.)
Root cause
Go's default TLS ClientHello + header ordering is fingerprintable and AH's WAF now
blocks it. httputil.ReverseProxy uses http.DefaultTransport, so every proxied
request is denied before the user ever sees the login form.
As of ~June 2026,
Client.Login()(the local reverse-proxy tologin.ah.nl) nolonger works: AH's bot protection returns 403 Access Denied to requests from
Go's default
net/httpclient, so the login page never loads through the proxyand the OAuth code is never obtained.
Reproduce
Proxying
GET https://login.ah.nl/secure/oauth/authorize?client_id=appie&redirect_uri=appie://login-exit&response_type=codethrough the
httputil.ReverseProxyinlogin.goreturns:(WAF block page.)
Root cause
Go's default TLS ClientHello + header ordering is fingerprintable and AH's WAF now
blocks it.
httputil.ReverseProxyuseshttp.DefaultTransport, so every proxiedrequest is denied before the user ever sees the login form.