Cross-site POST form submissions are forbidden [bug] same site
I'm posting to the same host
screenshot included
Origin:
https://ponytron-frontend-production.up.railway.app
Referer:
https://ponytron-frontend-production.up.railway.app/
Solution:Jump to solution
disabled csrf in svelte.config.js:
```
kit: {
// adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list....
13 Replies
Project ID:
ae09b251-66fd-498b-8797-816b32b39aea
ae09b251-66fd-498b-8797-816b32b39aea
what kind of frontend site is this? what's the tech stack?
Sveltekit. The error is coming from railway proxy I think though. I don't see the error in my logs
can you send a link to where i could reproduce this error?
Visit the url I included add try to login with any username password doesn't matter
on railway your app sits behind a proxy so i think the Sveltekit server is not reading the host correctly and thus is thinking you are doing a post request from a different domain, or something along those lines.
look into getting Sveltekit to trust the proxy headers.
K thx
yeah it was on my end, working now
awsome, would you mind sharing the config change needed?
Solution
disabled csrf in svelte.config.js:
I'm not using it anyway but probably not the best. there are env variables you can set at https://kit.svelte.dev/docs/adapter-node#environment-variables but I didn't go that route
alright, thank you!
Is it safe to not check origin?
that's entirely up to you