Csrf check origin | Astro Lounge | Page 1

valid tapir Dec 14, 2025, 8:05 AM

#

Running Astro behind Nginx as reverse proxy, o got 403 error after trying to post a form within the same site. How to fix this issue with check origin?

cedar spruceBOT Dec 14, 2025, 8:05 AM

#

Hi @valid tapir. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

Astro’s built‑in CSRF protection checks the Origin header against the request URL for on‑demand SSR pages. When you put Astro behind Nginx, that Origin may no longer match what Astro sees as the request URL, which causes the 403 on POST (and PATCH/DELETE/PUT) requests with form content types. [config security]

From the docs, you can disable this check in astro.config.mjs:

import { defineConfig } from 'astro/config';

export default defineConfig({
  output: 'server',
  security: {
    checkOrigin: false,
  },
});

This turns off Astro’s origin check for those methods/content types on SSR/on‑demand pages, avoiding the 403. [config security]

The knowledge sources do not provide details on adjusting Nginx so that the origin still passes the check; they only document enabling/disabling `security.checkOrigin`.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

#

@valid tapir Kapa.ai is still learning and improving, please let me know how I did by reacting below.

valid tapir Dec 14, 2025, 8:08 AM

#

@cedar spruce What does Astro see? Can’t I fix it instead of disable it?

cedar spruceBOT Dec 14, 2025, 8:08 AM

#

Let me check the knowledge base for you again. One moment! :books:

#

The knowledge sources only explain what Astro checks, not how it derives host/proto behind a reverse proxy, so I can’t say exactly “what Astro sees” in your Nginx setup. I can only describe the documented behavior.

According to the docs, when security.checkOrigin is enabled Astro:

Looks at the Origin header sent by the browser.
Compares that origin to the URL of the incoming Request.
If they don’t match, it returns 403 and does not render the page. [security option]

This check runs only for on‑demand rendered pages and only for POST, PATCH, DELETE, PUT with one of these content types:
application/x-www-form-urlencoded, multipart/form-data, text/plain. [security option]

The docs do not describe:

How to configure Nginx so that Astro’s perceived URL matches the browser’s Origin.
Any way to customize the comparison logic.

They only show that you can disable the check:

// astro.config.mjs
export default defineConfig({
  output: 'server',
  security: {
    checkOrigin: false,
  },
});

[security option]

So, based on the available docs, the only documented lever is turning `checkOrigin` off; there’s no official guidance in these sources on “fixing” it via proxy configuration instead of disabling it.

#Csrf check origin

The knowledge sources do not provide details on adjusting Nginx so that the origin still passes the check; they only document enabling/disabling security.checkOrigin.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

So, based on the available docs, the only documented lever is turning checkOrigin off; there’s no official guidance in these sources on “fixing” it via proxy configuration instead of disabling it.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

The knowledge sources do not provide details on adjusting Nginx so that the origin still passes the check; they only document enabling/disabling `security.checkOrigin`.

So, based on the available docs, the only documented lever is turning `checkOrigin` off; there’s no official guidance in these sources on “fixing” it via proxy configuration instead of disabling it.