d0e01d2863
Behind a reverse proxy with a custom port (e.g. Caddy on :3443), the browser sends an Origin header that includes the port, but the board mutation guard only read the Host header which often omits the port. This caused a 403 "Board mutation requires trusted browser origin" for self-hosted deployments behind reverse proxies. Read x-forwarded-host (first value, comma-split) with the same pattern already used in private-hostname-guard.ts and routes/access.ts. Fixes #1734 |
||
|---|---|---|
| .. | ||
| src | ||
| CHANGELOG.md | ||
| package.json | ||
| tsconfig.json | ||
| vitest.config.ts | ||