From 2d64af148eaf277d95e26b258ba4f2495eb632a0 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Tue, 10 Feb 2026 01:29:38 +0000
Subject: [PATCH] Fix CSRF 403 error when logging in behind Cloudflare/Traefik
 proxy

Force nginx X-Forwarded-Proto default to https since all traffic
arrives through Cloudflare. The proxy chain was setting it to http,
causing CSRF token origin mismatch.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 app.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app.yml b/app.yml
index 41cedc4..5747456 100644
--- a/app.yml
+++ b/app.yml
@@ -71,6 +71,10 @@ hooks:
 ## Memory limit: 2GB container + 2GB swap
 run:
   - exec: echo "Beginning of custom commands"
+  ## Fix CSRF issues behind Cloudflare/Traefik reverse proxy chain.
+  ## Force X-Forwarded-Proto to always be https since all external traffic comes via Cloudflare.
+  - exec:
+      cmd: sed -i 's/default \$scheme;/default https;/' /etc/nginx/conf.d/discourse.conf
 
 ## Traefik integration labels
 labels: