In my case, it turned out to be a problem with the mod_security rules, which I have no control over. Based on some feedback on my provider’s support forum, I added this line to my .htaccess file to disable mod_security.
SecFilterEngine off
some additional info: <https://kb.textdrive.com/article/disabling-mod_security>
Which appears to have solved my problem, but I am not sure which mod_security filter I ws triggering. Now I am investigating selectively disabling mod_security for my host only while I dig through my server logs for clues.
