Fix CSRF 403: override Origin header in Caddy proxy snippet

SvelteKit checks the browser's Origin header, not just Host or X-Forwarded-Proto. Rewrite Origin to https://collection.newedge.house so CSRF passes on all non-public routes (NetBird, Yggdrasil, Tor). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 14:18:56 +07:00
parent d41ff1112d
commit dbc140c1f9
1 changed files with 1 additions and 0 deletions
@@ -76,6 +76,7 @@ Edit `/etc/caddy/Caddyfile`:
 (proxy) {
 	reverse_proxy 127.0.0.1:3000 {
 		header_up Host collection.newedge.house
+		header_up Origin https://collection.newedge.house
 		header_up X-Real-IP {remote_host}
 		header_up X-Forwarded-For {remote_host}
 		header_up X-Forwarded-Proto https