diff --git a/src/routes/api/contact/+server.ts b/src/routes/api/contact/+server.ts index 66bd862..7597b67 100644 --- a/src/routes/api/contact/+server.ts +++ b/src/routes/api/contact/+server.ts @@ -36,7 +36,7 @@ const ALLOWED_ORIGINS = new Set([ "http://localhost:4173", ]); -export const POST: RequestHandler = async ({ request, getClientAddress, url }) => { +export const POST: RequestHandler = async ({ request, getClientAddress }) => { // Origin/Referer must match — blocks naive cross-site POSTs const origin = request.headers.get("origin") ?? ""; const referer = request.headers.get("referer") ?? ""; @@ -107,12 +107,13 @@ export const POST: RequestHandler = async ({ request, getClientAddress, url }) = let res: Response; try { + // No Origin header — we already validated it at this server. + // CMS forms plugin (REQUIRE_ORIGIN=false) accepts requests without one. res = await fetch(cmsUrl, { method: "POST", headers: { "Content-Type": "application/json", "X-Forwarded-For": getClientAddress(), - Origin: url.origin, }, body: JSON.stringify(payload), });