Fix CSRF 403: override Origin header in Caddy proxy snippet
Deploy to LXC / deploy (push) Successful in 18s
Deploy to LXC / deploy (push) Successful in 18s
SvelteKit checks the browser's Origin header, not just Host or X-Forwarded-Proto. Rewrite Origin to https://collection.newedge.house so CSRF passes on all non-public routes (NetBird, Yggdrasil, Tor). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -76,6 +76,7 @@ Edit `/etc/caddy/Caddyfile`:
|
|||||||
(proxy) {
|
(proxy) {
|
||||||
reverse_proxy 127.0.0.1:3000 {
|
reverse_proxy 127.0.0.1:3000 {
|
||||||
header_up Host collection.newedge.house
|
header_up Host collection.newedge.house
|
||||||
|
header_up Origin https://collection.newedge.house
|
||||||
header_up X-Real-IP {remote_host}
|
header_up X-Real-IP {remote_host}
|
||||||
header_up X-Forwarded-For {remote_host}
|
header_up X-Forwarded-For {remote_host}
|
||||||
header_up X-Forwarded-Proto https
|
header_up X-Forwarded-Proto https
|
||||||
|
|||||||
Reference in New Issue
Block a user