Skip CSRF host checks in non-prod (reverse proxy friendly)

2026-03-03 18:38:00 -05:00
parent 98a6b5096c
commit df7bc9ff71
1 changed files with 5 additions and 0 deletions
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -85,6 +85,11 @@ app.use(express.json());
 // Basic CSRF mitigation: require same-origin POSTs
 app.use((req, res, next) => {
  if (req.method !== 'POST') return next();
+
+  // MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
+  // can omit/alter Origin/Referer and cause false blocks). Enforce in production.
+  if (!isProd) return next();
+
  // Allow OAuth callbacks (they are GET in our app anyway) and health checks
  const origin = req.get('origin');
  const referer = req.get('referer');