[🐞] routeAction$ CSRF check failed

[lontten]

Which component is affected?

Qwik Runtime

Describe the bug

1. button type="submit"

CSRF check failed. Cross-site POST form submissions are forbidden.\nThe request origin "https://www.xx.com\" does not match the server origin "http://www.xx.com\"."

2. Using actions programmatically await actionSaveWord.submit()
   ok，no CSRF

Reproduction

https://stackblitz.com/edit/github-q2y5ygdo?file=src%2Froutes%2Findex.tsx

Steps to reproduce

bun run build
bun run serve

System Info

System:
    OS: macOS 15.6.1
    CPU: (8) arm64 Apple M1
    Memory: 145.28 MB / 8.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.12.0 - /Users/lontten/.nvm/versions/node/v22.12.0/bin/node
    npm: 10.9.0 - /Users/lontten/.nvm/versions/node/v22.12.0/bin/npm
    bun: 1.2.23 - /Users/lontten/.bun/bin/bun
  Browsers:
    Edge: 141.0.3537.57
    Safari: 18.6

Additional Information

nginx

        location / {
                proxy_pass http://127.0.0.1:3010;


                # 关键配置
                proxy_http_version 1.1;
                proxy_set_header Connection "";

                # 代理头
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

[wmertens]

Easiest fix is to set the environment variable ORIGIN to your server url.

Also, the adapters should have a setting that makes them check forward headers, we need to track that as a feature request.

[akshaykodali]

I am encountering the same issue and setting the ORIGIN environment variable during runtime doesn't help either. The issue seems to be specific to bun adapter. What did help was disabling SSG by setting ssg to null in bunServerAdapter object in vite.config.ts file in adapters/bun folder or setting the ORIGIN environment variable during build time.