fix(csrf): non-www-Canonical + trustedOrigins für www-Fallback
Deploy / verify (push) Failing after 1m12s
Deploy / deploy (push) Has been skipped

SvelteKits CSRF-Check blockte multipart-POSTs (/api/mitmachen) mit 403:
ORIGIN env stand auf www, Caddy redirected aber www -> non-www — jeder
Besucher war auf non-www, Origin-Header passte nie. Env-Flip auf non-www
(secrets), hier: www als trustedOrigin-Fallback + Kit-Bump auf ^2.65
(trustedOrigins gibt es ab 2.23).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Peter Meier
2026-06-12 22:58:28 +02:00
parent ae9536db3a
commit 77ff44f6ef
3 changed files with 20 additions and 12 deletions
+1 -1
View File
@@ -22,7 +22,7 @@
"devDependencies": {
"@iconify-json/mdi": "^1.2.3",
"@sveltejs/adapter-node": "^5.2.12",
"@sveltejs/kit": "^2.21.4",
"@sveltejs/kit": "^2.65.0",
"@sveltejs/vite-plugin-svelte": "^5.0.3",
"@tailwindcss/vite": "^4.1.18",
"@types/node": "^22.10.0",