Fix OIDC issuer generating http:// URLs in production

The OIDC provider was falling back to config.public.appUrl for its issuer, which could resolve to an http:// URL. This caused the logout form action to use http://, violating the CSP form-action directive. Hardcode the issuer fallback to https://ghostguild.org.
2026-03-05 22:42:12 +00:00 · 2026-03-05 22:42:12 +00:00 · ba92075366
commit ba92075366
parent 17d29647b4
2 changed files with 2 additions and 3 deletions
--- a/server/middleware/02.security-headers.js
+++ b/server/middleware/02.security-headers.js
@ -20,7 +20,7 @@ export default defineEventHandler((event) => {
      "connect-src 'self' https://api.helcim.com https://myposjs.helcim.com https://plausible.io",
      "frame-src 'self' https://myposjs.helcim.com https://secure.helcim.com",
      "base-uri 'self'",
-      "form-action 'self' https://ghostguild.org",
+      "form-action 'self'",
    ].join('; ')
  }