From 98a6b5096c4e86255da72012ec969e0ce3381cca Mon Sep 17 00:00:00 2001
From: pnannery <pnannery@gmail.com>
Date: Sun, 1 Mar 2026 22:27:35 -0500
Subject: [PATCH] Relax CSRF check in non-prod when Origin/Referer missing

---
 web/src/index.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/web/src/index.js b/web/src/index.js
index bf4064b..d7c4039 100644
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -103,6 +103,10 @@ app.use((req, res, next) => {
   // Some clients omit Origin; allow Referer as fallback.
   if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
 
+  // In non-production MVP/dev environments, be permissive if headers are missing.
+  // (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
+  if (!isProd && !origin && !referer) return next();
+
   return res.status(403).send('Blocked (CSRF)');
 });