Cross-site POST form submissions are forbidden

[wildfiremedia]

Astro Info

Astro                    v5.1.1
Node                     v22.12.0
System                   macOS (arm64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node
Integrations             @astrojs/tailwind

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

In transition from 4.x to 5.x, I found I could not submit the form when testing in npx astro preview after the build, on macOS. Is it something we need to disable CORS?

Submit a form to the same origin threw Cross-site POST form submissions are forbidden which is weird.

What's the expected result?

Tested on localhost:8080 should continue to work as expected in 5.x?

Link to Minimal Reproducible Example

NA

Participation

• I am willing to submit a pull request for this issue.

[Lippiece]

This is really painful. I needed a quick MVP and can't deploy it on Render because the app refuses to perform POST requests to itself.

All I found is the exact same message in Svelte Kit. How can we disable this behaviour here? Setting ORIGIN env doesn't seem to have any effect.

[wildfiremedia]

Just discovered I need to disable this check when running preview

Nginx port localhost:8080
Astro on port localhost:3232
Web browser: localhost:8080

Mentioned in the docs, CSRF protection is enable by default for 5.x.

asstro.config.mjs

security: {
    checkOrigin: false
  }

[wildfiremedia]

@Lippiece Worth reading :)
https://docs.astro.build/en/reference/configuration-reference/#security