# Troubleshooting

## 403 on signed URLs
- Check that the full query string is preserved by the proxy (`$query_string` in Nginx).
- Ensure `WEBRICK_SIGN_KEY` matches between generator and verifier.
- If using temporary URLs, confirm clock skew and TTL (`signedDefaultTtl`).
- Verification failures are raised internally as HTTP exceptions and rendered by the kernel error boundary, so custom top-level error rendering still applies.

## 406 Not Acceptable
- Negotiation middleware rejects unacceptable `Accept` headers. Ensure your client requests supported types.
- The middleware now throws a framework HTTP exception internally; the kernel error boundary renders the final `406`.
- Use `Response::auto()` for convenience.

## Weird caches
- Verify `Vary` headers include `Accept-Encoding`/`Accept-Language` as emitted by middleware.
- Avoid stripping or overwriting `Vary` at the proxy/CDN.
