SvelteKit's built-in CSRF only allows one origin, breaking access via
NetBird/Yggdrasil/Tor IPs. Now:
- Disabled checkOrigin in svelte.config.js
- Custom CSRF in hooks.server.ts checks Origin against ALLOWED_ORIGINS
- ALLOWED_ORIGINS env var: comma-separated list of trusted origins
- Caddy no longer needs to rewrite Host/Origin headers
- Each access method (public domain, NetBird IP, Yggdrasil, Tor onion)
just needs its URL added to ALLOWED_ORIGINS
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SvelteKit checks the browser's Origin header, not just Host or
X-Forwarded-Proto. Rewrite Origin to https://collection.newedge.house
so CSRF passes on all non-public routes (NetBird, Yggdrasil, Tor).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SvelteKit expects ORIGIN=https://... so all routes must send
X-Forwarded-Proto: https regardless of actual connection scheme.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewritten for the actual architecture: separate upstream Caddy handles
TLS for public domain, LXC Caddy only does HTTP. Added NetBird
interface binding, explicit per-interface blocks, upstream Caddy
config snippet.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Caddyfile config with shared proxy snippet that sets Host header for
CSRF compatibility. Handles:
- Public domain with auto HTTPS (Let's Encrypt)
- LAN/internal on port 80
- Tor hidden service via localhost:8880
- Yggdrasil IPv6 on port 80
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
grabowski