Skip CSRF host checks in non-prod (reverse proxy friendly)

Relax CSRF check in non-prod when Origin/Referer missing
2026-03-03 18:38:00 -05:00 · 2026-03-01 22:27:35 -05:00
1 changed files with 9 additions and 0 deletions
--- a/web/src/index.js
+++ b/web/src/index.js
@@ -85,6 +85,11 @@ app.use(express.json());
 // Basic CSRF mitigation: require same-origin POSTs
 app.use((req, res, next) => {
  if (req.method !== 'POST') return next();
+
+  // MVP/dev: skip CSRF host checks entirely (reverse proxies + browser privacy features
+  // can omit/alter Origin/Referer and cause false blocks). Enforce in production.
+  if (!isProd) return next();
+
  // Allow OAuth callbacks (they are GET in our app anyway) and health checks
  const origin = req.get('origin');
  const referer = req.get('referer');
@@ -103,6 +108,10 @@ app.use((req, res, next) => {
  // Some clients omit Origin; allow Referer as fallback.
  if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();

+  // In non-production MVP/dev environments, be permissive if headers are missing.
+  // (Notably some browsers/proxies can omit Origin/Referer on same-origin form posts.)
+  if (!isProd && !origin && !referer) return next();
+
  return res.status(403).send('Blocked (CSRF)');
 });
Author	SHA1	Message	Date
pnannery	df7bc9ff71	Skip CSRF host checks in non-prod (reverse proxy friendly)	2026-03-03 18:38:00 -05:00
pnannery	98a6b5096c	Relax CSRF check in non-prod when Origin/Referer missing	2026-03-01 22:27:35 -05:00