From dbc140c1f936a9444b4000a26847f48b4f7f59ec Mon Sep 17 00:00:00 2001
From: grabowski <berwn@buildfor.life>
Date: Mon, 13 Apr 2026 14:18:56 +0700
Subject: [PATCH] Fix CSRF 403: override Origin header in Caddy proxy snippet

SvelteKit checks the browser's Origin header, not just Host or
X-Forwarded-Proto. Rewrite Origin to https://collection.newedge.house
so CSRF passes on all non-public routes (NetBird, Yggdrasil, Tor).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/caddy-reverse-proxy.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/caddy-reverse-proxy.md b/docs/caddy-reverse-proxy.md
index ff17c30..46b0771 100644
--- a/docs/caddy-reverse-proxy.md
+++ b/docs/caddy-reverse-proxy.md
@@ -76,6 +76,7 @@ Edit `/etc/caddy/Caddyfile`:
 (proxy) {
 	reverse_proxy 127.0.0.1:3000 {
 		header_up Host collection.newedge.house
+		header_up Origin https://collection.newedge.house
 		header_up X-Real-IP {remote_host}
 		header_up X-Forwarded-For {remote_host}
 		header_up X-Forwarded-Proto https