diff --git a/src/server.js b/src/server.js index d3805fb..acfdf21 100644 --- a/src/server.js +++ b/src/server.js @@ -80,7 +80,10 @@ async function main() { res.setHeader('X-Content-Type-Options', 'nosniff'); // Clickjacking protection for the form-driven UI (login, upload, delete...). res.setHeader('X-Frame-Options', 'DENY'); - res.setHeader('Referrer-Policy', 'no-referrer'); + // NOTE: 'no-referrer' makes Chromium send `Origin: null` on form-POST navigations, + // which then trips our checkOrigin CSRF guard. 'same-origin' keeps the referrer + // hidden from external sites while preserving the Origin header for our own POSTs. + res.setHeader('Referrer-Policy', 'same-origin'); // No inline scripts (handlers live in /static/app.js); inline styles allowed for // the small dynamic bits (disk meter width). Blocks framing and foreign resources. res.setHeader(