Replace SvelteKit CSRF with custom multi-origin check · 0ceee55f9b - buildfor_life_repair

Replace SvelteKit CSRF with custom multi-origin check

Deploy to LXC / deploy (push) Successful in 19s

Details

SvelteKit's built-in CSRF only allows one origin, breaking access via
NetBird/Yggdrasil/Tor IPs. Now:
- Disabled checkOrigin in svelte.config.js
- Custom CSRF in hooks.server.ts checks Origin against ALLOWED_ORIGINS
- ALLOWED_ORIGINS env var: comma-separated list of trusted origins
- Caddy no longer needs to rewrite Host/Origin headers
- Each access method (public domain, NetBird IP, Yggdrasil, Tor onion)
  just needs its URL added to ALLOWED_ORIGINS

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This commit is contained in:

Alexander Grabowski

2026-04-13 14:23:02 +07:00

parent dbc140c1f9

commit 0ceee55f9b

4 changed files with 38 additions and 9 deletions

									
										svelte.config.js
									
		+4
		-1
	
												View File
												
				@@ -15,7 +15,10 @@ const config = {

						adapter: adapter({

							out: 'build',

							precompress: true

						})

						}),

						csrf: {

							checkOrigin: false

						}

					}

				};

Replace SvelteKit CSRF with custom multi-origin check Deploy to LXC / deploy (push) Successful in 19s Details

Replace SvelteKit CSRF with custom multi-origin check

Deploy to LXC / deploy (push) Successful in 19s

Details