Problem

When using @sveltejs/adapter-node with NGINX in a self-managed Docker setup, SvelteKit's default CSRF protection checks the origin header of incoming requests against the internal host. If the ORIGIN environment variable is not set to the public domain, valid POST requests, such as product edits or logins, will return a 403 Forbidden error.

Proposed Solution

• Update docker-compose.yml to add the ORIGIN environment variable.
• Document this requirement in .env.example to help with smooth onboarding for official infrastructure deployment ( Deploy to the official Open Food Facts insfrastructure #878 ).

Context

This issue came from the discussion in #878 at the request of @VaiTon.