docs: v0.43.1 — CSRF reverse proxy fix (#220)

Co-authored-by: Nathan Esquenazi <nesquena@gmail.com>
2026-04-10 01:27:09 -07:00
parent e0a95193d8
commit 0df9d4830f
2 changed files with 5 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@
 ---


+## [v0.43.1] — 2026-04-10
+
+- **CSRF fix for reverse proxies** (PR #219): The CSRF check now accepts `X-Forwarded-Host` and `X-Real-Host` headers in addition to `Host`, so deployments behind Caddy, nginx, and Traefik no longer reject POST requests with "Cross-origin request rejected". Security is preserved — requests with no matching proxy header are still rejected. Fixes #218.
+
 ## [v0.43.0] — 2026-04-10

 ### Features