tall nacelle
1- Does Jellyseer itself needs to be running https or can it just be behind a reverse proxy that has https for CSRF protection to not cause problems?
2- Do I understand correctly that API endpoints like "/api/v1/settings/main" get marked as read-only for all requests not coming from the subdomain that Jellyseerr is running at?
Context: All API requests from my automation server are fine when CSRF protection is off, but "POST" API requests from my automation server get the "invalid csrf token" message when CSRF protection is enabled meanwhile Jelyseer itself works correctly regardless if the setting is on or off, I'm trying to figure out if I did something wrong configuring the automation server(or Jellyseer) or if I need to have CSRF protection off for the automation server to be able to make "POST" API requests.
All requests from the automation server are authenticated using the "X-Api-Key" header.
edit: numbered the questions
dusk palm