From bd18b96846e87b53e61ce46b96d45336d7c46c15 Mon Sep 17 00:00:00 2001
From: Nils Pukropp <nils@narl.io>
Date: Sat, 9 May 2026 05:44:19 +0200
Subject: [PATCH] fixed another upload issue

---
 frontend/astro.config.mjs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/frontend/astro.config.mjs b/frontend/astro.config.mjs
index f6fe766..c96e206 100644
--- a/frontend/astro.config.mjs
+++ b/frontend/astro.config.mjs
@@ -9,6 +9,14 @@ import node from '@astrojs/node';
 export default defineConfig({
   output: 'server',
   integrations: [react()],
+  // Astro's CSRF Origin/Host check fires on form-encoded POSTs and compares
+  // protocols. Behind a TLS-terminating proxy (Traefik), Node sees http://
+  // locally while the browser sends Origin: https://, which falsely fails the
+  // check. SameSite=Strict on the auth cookie + server-side token validation
+  // handle CSRF instead.
+  security: {
+    checkOrigin: false,
+  },
   image: {
     service: { entrypoint: 'astro/assets/services/noop' }
   },