checkOrigin in v6.0.0-beta.14

[devcustrom]

Astro Info

Astro                    v6.0.0-beta.14
Node                     v22.22.0
System                   Windows (x64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node (v10.0.0-beta.4)
Integrations             @astrojs/vue (v6.0.0-beta.1)

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

I encountered this on a local machine immediately after upgrading from 5.17.1 to 6.0.0-beta.14. I get errors in actions Cross-site POST form submissions are forbidden checkOrigin: false solves this problem,
I am using caddy server before astro for https availability in development
Here are his logs

2026/02/20 06:27:38.690 ERROR http.log.error dial tcp [::1]:3001: connectex: No connection could be made because the target machine actively refused it. {"request": {"remote_ip": "::1", "remote_port": "64129", "client_ip": "::1", "proto": "HTTP/1.1", "method": "GET", "host": "my.test.localhost", "uri": "/", "headers": {"Sec-Websocket-Extensions": ["permessage-deflate; client_max_window_bits"], "Cache-Control": ["no-cache"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36"], "Origin": ["https://my.test.localhost"], "Sec-Websocket-Protocol": ["vite-ping"], "Connection": ["Upgrade"], "Pragma": ["no-cache"], "Upgrade": ["websocket"], "Sec-Websocket-Version": ["13"], "Accept-Language": ["ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7"], "Cookie": ["REDACTED"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Sec-Websocket-Key": ["lgHdA5gGi11nrea53cA58g=="]}, "tls": {"resumed": true, "version": 772, "cipher_suite": 4865, "proto": "http/1.1", "server_name": "my.test.localhost"}}, "duration": 0.0011748, "status": 502, "err_id": "5w2uyc3pw", "err_trace": "reverseproxy.statusError (reverseproxy.go:1390)"}

What's the expected result?

No 403 error in local https development

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-bn4gnrih?file=package.json

Participation

• I am willing to submit a pull request for this issue.

[ematipico]

@devcustrom what instructions do we need to follow in order to reproduce the issue?

[astrobot-houston]

I was able to reproduce this issue. The checkOrigin middleware in packages/astro/src/core/app/middlewares.ts:35 performs a strict string comparison (request.headers.get('origin') === url.origin) between the browser's Origin header and the server's constructed URL origin. When running behind a reverse proxy (e.g., Caddy providing HTTPS at https://my.test.localhost while Astro serves on http://localhost:4321), these will never match due to differences in protocol, hostname, and port — resulting in a 403 "Cross-site POST form submissions are forbidden" error on all non-safe-method requests.

Fix: I was unable to find a fix for this issue. This is currently behaving as designed — maintainers have previously closed identical reports (#13891, #14944) as expected behavior. The intended workaround is to set checkOrigin: false in your Astro config, or for production use, configure security.allowedDomains (added in v5.14.2) to whitelist your proxy's domain. There is also an open community PR (#15534) that aims to improve the interaction between X-Forwarded-* headers and checkOrigin, which may address this in a future release.

Priority: [P2: has workaround]. This affects users running Astro behind a reverse proxy (common in local HTTPS development with Caddy/nginx and in production behind load balancers), but the workaround is trivial — setting checkOrigin: false or configuring security.allowedDomains. Since this has been explicitly classified as intended behavior by maintainers in prior issues, it is more of an enhancement opportunity than a bug.

Full Triage Report

Triage Report: Issue #15587 - checkOrigin in v6.0.0-beta.14

Issue Details

• Title: checkOrigin in v6.0.0-beta.14
• Author: devcustrom
• URL: checkOrigin in v6.0.0-beta.14 #15587
• Created: 2026-02-20T06:47:44Z
• State: OPEN

Original Description

The user encountered a Cross-site POST form submissions are forbidden (403) error when using Astro actions after upgrading from Astro 5.17.1 to 6.0.0-beta.14. They are using a Caddy reverse proxy in front of Astro's dev server for HTTPS availability in local development.

The user's setup:

• Astro dev server running on localhost:4321
• Caddy reverse proxy providing HTTPS at https://my.test.localhost
• When actions make POST requests, the Origin header is https://my.test.localhost but the Astro server sees itself as http://localhost:4321

Setting checkOrigin: false in astro.config.mjs resolves the issue as a workaround.

Reproduction Results

Bug successfully reproduced.

Test	Origin Header	Expected	Actual	Result
Same origin POST	http://localhost:14589	200	200	PASS
Different origin POST (proxy scenario)	https://my.test.localhost	200	403	BUG
Different protocol same host	https://localhost:14589	200	403	BUG
GET with different origin	https://my.test.localhost	200	200	PASS (safe method)

Root Cause Analysis

The origin check middleware at packages/astro/src/core/app/middlewares.ts:35 performs a strict comparison:

const isSameOrigin = request.headers.get('origin') === url.origin;

When behind a reverse proxy, the Origin header (https://my.test.localhost) never matches the server's URL origin (http://localhost:4321). The dev server does not read X-Forwarded-Host, X-Forwarded-Proto, or X-Forwarded-Port headers, unlike the production Node adapter which does.

Verification: Intended Behavior

Maintainers have explicitly addressed identical reports:

1. Issue security.originCheck doesn't work well with cloudfront #13891 (closed): Maintainer @ascorbic closed it stating "it's behaving as expected and there is a workaround."
2. Issue Configurable origin for createOriginCheckMiddleware #14944 (closed): Maintainer @florian-lefebvre classified it as "not a bug but rather a feature request."
3. PR Fixes an issue with x-forwarded headers and checkOrigin' #15534 (open): Community PR attempting to improve this interaction, suggesting maintainers may accept an enhancement.

The security.allowedDomains config (added v5.14.2) was specifically designed as the solution for reverse proxy scenarios.

Verdict: intended-behavior (high confidence)

This report was made by an LLM. Mistakes happen, check important info.

[qzio]

Have you added the domain your are using locally to security.allowedDomains?
How does your configuration look like, i.e. does it include protocol or port?
Do you have multiple entries in allowedDomains with the same hostname?

It would be awesome to get this information, then we can create a test-case and find why this happened to you.
And create a fix if it's not the intended behaviour.

Oh, and turning checkOrigin to false is definitely not recommended unless you have other csrf-mitigations in place.

[MichaelKohler]

Note that this also affects version 5, I got the same issue after merging this PR: MichaelKohler/savings-dashboard#192 . In my case I do not have any allowed domains configured, which likely is the correct fix when I get to it.

[devcustrom]

I added my domains to allowed Domains, but it had no effect.

[qzio]

I added my domains to allowed Domains, but it had no effect.

Ok, but how exactly does it look.
Does it contain protocol, port or just hostname?
Do you have other entries as well?

Hmm, according to the logs (from caddy?) There seems to be using websocket?
And it states connectex: No connection could be made because the target machine actively refused it

Are you sure this log entry is related to a POST that gets refused by checkOrigin?

Do you get any logs at all from astro?

The hostname says my.test.localhost are you running astro in development mode?

[devcustrom]

I added my domains to allowed Domains, but it had no effect.

Ok, but how exactly does it look. Does it contain protocol, port or just hostname? Do you have other entries as well?

Hmm, according to the logs (from caddy?) There seems to be using websocket? And it states connectex: No connection could be made because the target machine actively refused it

Are you sure this log entry is related to a POST that gets refused by checkOrigin?

Do you get any logs at all from astro?

The hostname says my.test.localhost are you running astro in development mode?

security: {
		checkOrigin: false,
		allowedDomains: [
			{
				hostname: '**.test.localhost',
				protocol: 'https'
			}
		]
	},

[qzio]

What happens if you remove 'protocol' fronter entry in allowedDomains?

There was a recent change re protocol...

It's hard to know what is going wrong without the same setup...

Maybe caddy is sending the wrong headers? (Probably not)

[qzio]

Note that this also affects version 5, I got the same issue after merging this PR: MichaelKohler/savings-dashboard#192 . In my case I do not have any allowed domains configured, which likely is the correct fix when I get to it.

Yes, if you are running astro behind a reverse proxy, and want to use security.checkOrigin: true you HAVE to specify the domain in security.allowedDomains.

[qzio]

I've setup a minimal astro project behind a caddy server and can reproduce your issue.

Will investigate further.