From 17d29647b4debce0c86ef22da9db5e2d0c60dd4b Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Thu, 5 Mar 2026 22:33:11 +0000
Subject: [PATCH] Allow OIDC logout form submission in CSP form-action
 directive

The oidc-provider library renders logout forms with absolute URLs,
which gets blocked by the strict form-action 'self' CSP directive.
---
 server/middleware/02.security-headers.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/middleware/02.security-headers.js b/server/middleware/02.security-headers.js
index f29ce86..25d0b1a 100644
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
       "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
       "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
       "base-uri 'self'",
-      "form-action 'self'",
+      "form-action 'self' https://ghostguild.org",
     ].join('; ')
   }