Anonymous Suitelet Demands User Agent Header

This article is relevant if you are working with NetSuite’s Suitelets and attempting to connect in an Anonymous fashion.

Background

NetSuite’s Suitelet technology, and its close partner, Restlets, are excellent technologies to produce integrations between NetSuite and other internet based systems.  Restlets are the preferred approach to send JSON data between NetSuite and third party systems Restlets require user authentication to work.   However, there are times that you need anonymous access to NetSuite to expose business data to third parties.  This is where Suitelets offer a solution.

If you are developing Suitelet technology, you know that you need to make sure that the Audience is Public by including “All Roles”.  Of course, you must also turn on the “Available without Logon” checkbox in the deployment definition.

You may find that things are working as you expect as you test your Suitelet.  But then you may find that you encounter funny connection errors.

Suitelet Error: HTTP 405 Method Not Allowed

We kept encountering an HTTP 405 Method Not Allowed error when the Suitelet was working as expected using our favorite JSON posting tool, PostMan.

After a fair amount of trial and error work, an engineer on my team figured out that you need to have a User Agent  Header record in the HTTPs request.  You may be coming from a server environment that is not supplying this value automatically.  To solve this, add the following key/value pair  to the HTTP Headers: “User-Agent : Mozilla/5.0”.  Now the Suitelet will think that the request is coming from a browser and it should accept the anonymous request.

Addendum

As of September, 2017, We recently discovered that if NO User agent is sent, NetSuite will work. Some server side applications are sending a User-Agent (it may not be obvious) and this causes a problem. We also discovered that NetSuite only lets some specific User-Agents in; I don’t have a valid list but it does mean you may need trial and error techniques to get it dialed in.

Extend NetSuite

Remember, NetSuite is a platform designed to be enhanced to meet business requirements.  If you want help extending NetSuite, contact us.

Be Sociable, Share!

Marty Zigman

Holding all three official certifications, Marty is regarded as the top NetSuite expert and leads a team of senior professionals at Prolecto Resources, Inc. He is a former Deloitte & Touche CPA and has held CTO roles. For over 30 years, Marty has produced leadership in ERP, CRM and eCommerce business systems. Contact Marty to set up a conversation.

More Posts - Website - Twitter - Facebook - LinkedIn - YouTube

| Tags: , , , , | Category: NetSuite, Technical | 19 Comments

19 thoughts on “Anonymous Suitelet Demands User Agent Header

  1. Jaime says:

    Did you guys ever find a way to get around this “limitation”? I’m experiencing the same issue with anonymous Suitelets, but I don’t have control over the HTTP requests, because they come from an external system. I noticed that when the source doesn’t send the User-Agent header, the request gets dropped before it even reaches the script execution flow. Do you guys have any idea how I could overcome this?

  2. Marty Zigman says:

    Hi Jamie,

    Here is what I believe you can do. If you have the Site Builder web site, you can activate SuiteScript Server Pages. With this technology, I have been able to produce and receive anonymous server based callbacks that do not require that header setting.

    Marty

  3. Hi Marty,

    Thanks for the SSP tip.
    I’ve actually been dealing with this since sometime in 2009. FWIW I operate a proxy for a number of customers who, like Jamie, cannot alter the request headers.

    The other use it has is that some external systems cannot POST to a url with query parameters. The proxy handles that case as well.

  4. Marty Zigman says:

    Hey Brett,

    That’s very cool. I wonder if you could setup a general service for this. Yet, it needs to be trusted because credentials are on the wire. Any thoughts on publishing more about it?

    Marty

  5. Hi Marty,
    Actually the credentials are not on the wire because this is specifically for anonymous suitelets.

    If you are doing machine to machine you can use a RESTLet which doesn’t have the User-Agent issue but does require a valid Netsuite login.

    A general service could be set up but the configuration for this is pretty trivial so hasn’t been necessary.

  6. Marty Zigman says:

    Right, of course. This is a SuiteLet so it doesn’t require a credential. I wonder if it makes sense to produce a simple Java servlet or Python script to the general NetSuite community to solve this. Ideally, NetSuite would resolve it so we don’t have do this intermediate step.

  7. Well because this ends up being proxy the code needs to be fairly capable. I put the servlet I have together by piecing together tips from a number of sources. I’d be happy to put that up on github if anyone actually wants to use it. Also as mentioned above I do host this as a service for $180/year.

  8. Prasun says:

    I am facing exactly the same issue and I do not have the control over the http header either. But the external application does send it’s own user-agent header, say “ABC/2.0” . This returns a 405 error. Is there a way to add a trusted user-agent value for the suitelet ?

  9. Marty Zigman says:

    I believe you will need to send your own header to fool NetSuite. Might you be having a different type of error? Have you tried using PostMan to see if you can indeed connect?

  10. Prasun says:

    Well, I do not have the option to fiddle with the header in this case. So I found a work around. Got the request posted to an intermediate endpoint, modify the headers and then post it to NetSuite. I am using Google Could function in this case.

  11. Wes Winters says:

    I’m facing the same issue with setting up a public suitelet, and came across this post. I see in the comments that a workaround using SSP applications works for you. I have written a small test .ss script, but when I create a new SSP application, the Touch Point is required. What touch point did you use to workaround sending your own User-Agent string to a public Suitelet?

  12. Marty Zigman says:

    Hi Wes,

    I don’t believe you need a touch point. But you do need to be working with a site that leverages SSP. See my article: https://blog.prolecto.com/2015/04/18/learn-suitecommerce-advance-suitescript-server-pages-ssp-fundamentals/

    Marty

  13. Wes Winters says:

    Thanks Marty,

    We currently use SiteBuilder with Elbrus Extensions for SiteBuilder

    When I create a new SSP application record, touch point is REQUIRED.

    Are you saying that I don’t actually need an SSP application record, and can just save the ssp scripts in the file cabinet in the SSP Applications folder?

    Thanks,
    Wes

  14. Marty Zigman says:

    Wes,

    Based on my experimentation, you don’t need a touch point. See this reference article which is on topic: https://blog.prolecto.com/2015/04/18/learn-suitecommerce-advance-suitescript-server-pages-ssp-fundamentals/

    Here, I created an SSP, no touch points, and put ss and ssp in the root and all worked.

    Reference NetSuite SSP Application with no Touch Points

  15. Wes Winters says:

    Wow. OK Thanks, that worked.
    Not sure what happened the first time I tried that.

  16. Chris says:

    It’s 2023 and this content is still relevant. Just had to use the “Mozilla/5.0” hack with Postman. Also, anecdotally I can verify that leaving the User-Agent out completely works.

  17. Marty Zigman says:

    Thanks Chris for the update. Keeping it all relevant!

    Marty

  18. Kyara says:

    When I use java to request the suitelet interface, from time to time a certain interface does not return a response for a period of time. At this time, other interfaces are normal, and postman can also access this interface. This problem started suddenly a few months ago and will be especially frequent on certain days.

  19. Marty Zigman says:

    Hi Kyara,

    I wish we had more insight than you do on these kinds of concerns. It may make sense to create a monitor to watch the endpoint and then take the results to NetSuite Support.

    Good luck.

    Marty

Leave a Reply

Your email address will not be published. Required fields are marked *