Matt Van Horn d0e01d2863 fix(server): include x-forwarded-host in board mutation origin check ...

Behind a reverse proxy with a custom port (e.g. Caddy on :3443), the
browser sends an Origin header that includes the port, but the board
mutation guard only read the Host header which often omits the port.
This caused a 403 "Board mutation requires trusted browser origin"
for self-hosted deployments behind reverse proxies.

Read x-forwarded-host (first value, comma-split) with the same pattern
already used in private-hostname-guard.ts and routes/access.ts.

Fixes #1734

2026-03-25 00:06:43 -07:00

..

auth.ts

Add browser-based board CLI auth flow

2026-03-23 08:46:05 -05:00

board-mutation-guard.ts

fix(server): include x-forwarded-host in board mutation origin check

2026-03-25 00:06:43 -07:00

error-handler.ts

fix(server): attach raw Error to res.err and avoid pino err key collision

2026-03-07 15:19:03 -06:00

index.ts

Add API server with routes, services, and middleware

2026-02-16 13:31:58 -06:00

logger.ts

fix(server): keep pretty logger metadata on one line

2026-03-10 16:42:36 -05:00

private-hostname-guard.ts

refactor: rename packages to @paperclipai and CLI binary to paperclipai

2026-03-03 08:45:26 -06:00

validate.ts

Add API server with routes, services, and middleware

2026-02-16 13:31:58 -06:00