pnannery/Mastermind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Skip CSRF host checks in non-prod (reverse proxy friendly)

Browse Source
This commit is contained in:
pnannery
2026-03-03 18:38:00 -05:00
parent 98a6b5096c
commit df7bc9ff71
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
web/src/index.js
View File

@@ -85,6 +85,11 @@ app.use(express.json());
// Basic CSRF mitigation: require same-origin POSTs // Basic CSRF mitigation: require same-origin POSTs
app.use((req, res, next) => { app.use((req, res, next) => {
if (req.method !== 'POST') return next(); if (req.method !== 'POST') return next();
// MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
// can omit/alter Origin/Referer and cause false blocks). Enforce in production.
if (!isProd) return next();
// Allow OAuth callbacks (they are GET in our app anyway) and health checks // Allow OAuth callbacks (they are GET in our app anyway) and health checks
const origin = req.get('origin'); const origin = req.get('origin');
const referer = req.get('referer'); const referer = req.get('referer');