From df7bc9ff715ead22c1353cf9cace564d680ead26 Mon Sep 17 00:00:00 2001
From: pnannery <pnannery@gmail.com>
Date: Tue, 3 Mar 2026 18:38:00 -0500
Subject: [PATCH] Skip CSRF host checks in non-prod (reverse proxy friendly)

---
 web/src/index.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/web/src/index.js b/web/src/index.js
index d7c4039..95123cc 100644
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -85,6 +85,11 @@ app.use(express.json());
 // Basic CSRF mitigation: require same-origin POSTs
 app.use((req, res, next) => {
   if (req.method !== 'POST') return next();
+
+  // MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
+  // can omit/alter Origin/Referer and cause false blocks). Enforce in production.
+  if (!isProd) return next();
+
   // Allow OAuth callbacks (they are GET in our app anyway) and health checks
   const origin = req.get('origin');
   const referer = req.get('referer');