From 5e24550cacd0f80ea4ec62dab873e747b2ae86b7 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 10:52:50 -0800
Subject: fix: CSRF cookie configuration for local network access\n\n- Changed
 SameSite from Lax to None to allow cookie access across localhost/IP
 variations\n- Added Secure=false for local development (should be true in
 production with HTTPS)\n- Added credentials:'include' to all fetch requests
 to ensure cookies are sent\n- Updated tests to expect credentials parameter
 in fetch calls\n\nThis fixes the 403 Forbidden error when accessing from LAN
 IPs like 192.168.x.x

---
 web/web.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'web/web.go')

diff --git a/web/web.go b/web/web.go
index ffec8b9..d8dd832 100644
--- a/web/web.go
+++ b/web/web.go
@@ -373,7 +373,8 @@ func CSRFMiddleware(next http.Handler) http.Handler {
 				Value:    token,
 				Path:     "/",
 				HttpOnly: false, // accessible by JS
-				SameSite: http.SameSiteLaxMode,
+				SameSite: http.SameSiteNoneMode,
+				Secure:   false, // Set to true in production with HTTPS
 			})
 		} else {
 			token = cookie.Value
-- 
cgit v1.2.3