QwikDev
[🐞] routeAction$ CSRF check failed
Which component is affected?
Qwik Runtime
Describe the bug
- button type="submit"
CSRF check failed. Cross-site POST form submissions are forbidden.\nThe request origin "https://www.xx.com" does not match the server origin "http://www.xx.com"."
- Using actions programmatically
await actionSaveWord.submit()ok,no CSRF
Reproduction
https://stackblitz.com/edit/github-q2y5ygdo?file=src%2Froutes%2Findex.tsx
Steps to reproduce
bun run build bun run serve
System Info
System:
OS: macOS 15.6.1
CPU: (8) arm64 Apple M1
Memory: 145.28 MB / 8.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.12.0 - /Users/lontten/.nvm/versions/node/v22.12.0/bin/node
npm: 10.9.0 - /Users/lontten/.nvm/versions/node/v22.12.0/bin/npm
bun: 1.2.23 - /Users/lontten/.bun/bin/bun
Browsers:
Edge: 141.0.3537.57
Safari: 18.6
Additional Information
nginx
location / {
proxy_pass http://127.0.0.1:3010;
# 关键配置
proxy_http_version 1.1;
proxy_set_header Connection "";
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
Easiest fix is to set the environment variable ORIGIN to your server url.
Also, the adapters should have a setting that makes them check forward headers, we need to track that as a feature request.
I am encountering the same issue and setting the ORIGIN environment variable during runtime doesn't help either. The issue seems to be specific to bun adapter. What did help was disabling SSG by setting ssg to null in bunServerAdapter object in vite.config.ts file in adapters/bun folder or setting the ORIGIN environment variable during build time.
