Hi,
I'm using xoops 2.5.11 behind Nginx Proxy Manager (https://nginxproxymanager.com/)
Nginx Proxy Manager has "Block Common Exploits" enabled for this proxy host
When you access to any page where in the url is present the parameter XOOPS_TOKEN_REQUEST you receive "403 Forbidden openresty"
Mostly in the System admin pages, I was using the block page when I found it

I'm not saying it is an bug in xoops or in Nginx Proxy Manager but since I want to keep "Block Common Exploits" enabled I need to hack xoops.

The problem is the presence of the word _REQUEST in the url
the following instructions will change that word in the xoops installation
I suggest to backup the files before to change them

change XOOPS_TOKEN_REQUEST in XOOPS_TOKEN_REQUE
include/findusers.php
modules/system/templates/system_notification_list.tpl
modules/system/templates/system_notification_list.html
modules/system/templates/blocks/system_block_notification.tpl
themes/xswatch4/modules/system/blocks/system_block_notification.tpl

change '_REQUEST' in '_REQUE'
class/xoopssecurity.php
class/xoopsform/formhiddentoken.php

I'm not using protector, maybe there is something to change also there
In preference I have: "Check templates for modifications? YES" otherwise I think you have to rebuild the templates

that's it
Carlo