Relax CSRF check in non-prod when Origin/Referer missing

2026-03-01 22:27:35 -05:00
parent bdabd56897
commit 98a6b5096c
1 changed files with 4 additions and 0 deletions
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -103,6 +103,10 @@ app.use((req, res, next) => {
  // Some clients omit Origin; allow Referer as fallback.
  if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
  // In non-production MVP/dev environments, be permissive if headers are missing.
  // (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
  if (!isProd && !origin && !referer) return next();
  return res.status(403).send('Blocked (CSRF)');
 });