B4L/buildfor_life_repair
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
buildfor_life_repair/.env.example
T
grabowski 0ceee55f9b
Deploy to LXC / deploy (push) Successful in 19s
Details
Replace SvelteKit CSRF with custom multi-origin check 
SvelteKit's built-in CSRF only allows one origin, breaking access via
NetBird/Yggdrasil/Tor IPs. Now:
- Disabled checkOrigin in svelte.config.js
- Custom CSRF in hooks.server.ts checks Origin against ALLOWED_ORIGINS
- ALLOWED_ORIGINS env var: comma-separated list of trusted origins
- Caddy no longer needs to rewrite Host/Origin headers
- Each access method (public domain, NetBird IP, Yggdrasil, Tor onion)
  just needs its URL added to ALLOWED_ORIGINS

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-13 14:23:02 +07:00

7 lines
269 B
Bash
Raw Permalink Blame History

DATABASE_URL=postgresql://bflr:bflr_dev@localhost:5432/buildfor_life_repair
UPLOAD_DIR=static/uploads
BASE_URL=http://localhost:5173
ORIGIN=https://collection.newedge.house
ALLOWED_ORIGINS=https://collection.newedge.house,http://100.81.174.129
BODY_SIZE_LIMIT=52428800
Reference in New Issue View Git Blame Copy Permalink