pnannery/Mastermind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Relax CSRF check in non-prod when Origin/Referer missing

Browse Source
This commit is contained in:
pnannery
2026-03-01 22:27:35 -05:00
parent bdabd56897
commit 98a6b5096c
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
web/src/index.js
View File

@@ -103,6 +103,10 @@ app.use((req, res, next) => {
// Some clients omit Origin; allow Referer as fallback.
if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
// In non-production MVP/dev environments, be permissive if headers are missing.
// (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
if (!isProd && !origin && !referer) return next();
return res.status(403).send('Blocked (CSRF)');
});