From 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 10:52:50 -0800
Subject: fix: CSRF cookie configuration for local network access\n\n- Changed
 SameSite from Lax to None to allow cookie access across localhost/IP
 variations\n- Added Secure=false for local development (should be true in
 production with HTTPS)\n- Added credentials:'include' to all fetch requests
 to ensure cookies are sent\n- Updated tests to expect credentials parameter
 in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN
 IPs like 192.168.x.x

---
 frontend/src/utils.ts | 1 +
 1 file changed, 1 insertion(+)

(limited to 'frontend/src/utils.ts')

diff --git a/frontend/src/utils.ts b/frontend/src/utils.ts
index 129ebbb..ebfb692 100644
--- a/frontend/src/utils.ts
+++ b/frontend/src/utils.ts
@@ -27,5 +27,6 @@ export async function apiFetch(input: RequestInfo | URL, init?: RequestInit): Pr
     return fetch(input, {
         ...init,
         headers,
+        credentials: 'include', // Ensure cookies are sent
     });
 }
-- 
cgit v1.2.3