I’m trying out Grav, a flat file CMS, on my server. It looks promising, having just installed it with the admin plugin. It seems that there is a fairly well-known problem with false positives from apache’s mod security web application firewall software, which manifests as an annoying 403 error banner in the admin pages (and the notifications panel not loading).
This is easily fixed by whitelisting mod security rule 350147. In Plesk, mod security rules can be whitelisted in the Server Management | Tools and Settings | Security | Web Application Firewall (ModSecurity) page. Enter the security rule ID (in this case 350147) in the box at the end of the page and click apply.
There is a security risk associated with this and users should assess the risk to their servers before implementing this workaround.