github Yeraze/meshmonitor v2.4.1
v2.4.1 - Production Fixes
on GitHub

latest releases: v2.19.12, v2.19.11, v2.19.10...
one month ago

๐Ÿ› Bug Fixes

Production Deployment Issues

This patch release fixes critical issues affecting production deployments with HTTPS and reverse proxies.

Fixed: Content Security Policy Blocking Inline Styles

  • Symptom: Console errors: "Refused to apply inline style because it violates CSP directive"
  • Fix: Added 'unsafe-inline' to styleSrc directive in production Helmet config
  • React and Vite use inline styles which were being blocked by the strict CSP
  • Still secure: only allows inline styles, not inline scripts

Fixed: CSRF 403 Errors on POST Requests

  • Symptom: POST /api/messages/send 403 (Forbidden) errors in production
  • Fix: Changed default SameSite cookie policy from strict to lax
  • SameSite=Strict was preventing session cookies from being sent through reverse proxies
  • SameSite=Lax is more compatible while still secure against CSRF attacks

Why These Changes?

SameSite=Lax vs Strict:

  • Strict blocks cookies on all cross-site requests, which can break legitimate use cases with reverse proxies
  • Lax allows cookies on top-level navigation while still preventing CSRF on POST/PUT/DELETE from other sites
  • Works correctly with nginx, Traefik, Caddy, and other reverse proxies

CSP Inline Styles:

  • Modern React applications use inline styles for component styling
  • Only affects style-src, not script-src (scripts still blocked)
  • Minimal security risk compared to inline scripts

๐Ÿ“‹ What's Changed

  • fix: resolve production CSP and CSRF issues (#186)
  • chore: bump version to 2.4.1

Full Changelog: v2.4.0...v2.4.1

๐Ÿ“ฆ Installation

Docker (recommended)

docker pull ghcr.io/yeraze/meshmonitor:2.4.1

# Or using Docker Compose
docker compose pull
docker compose up -d

Docker Compose Example

services:
  meshmonitor:
    image: ghcr.io/yeraze/meshmonitor:2.4.1
    environment:
      - MESHTASTIC_NODE_IP=192.168.1.100
      - SESSION_SECRET=your-secure-random-string
      - TRUST_PROXY=true
      - COOKIE_SECURE=true
      - ALLOWED_ORIGINS=https://meshmonitor.example.com
    volumes:
      - meshmonitor-data:/data
    ports:
      - "8080:3001"
    restart: unless-stopped

Helm Chart

helm upgrade meshmonitor oci://ghcr.io/yeraze/charts/meshmonitor --version 2.4.1

๐Ÿ”ง Configuration

For HTTPS production deployments, ensure you set: 

SESSION_SECRET=<random-string>    # Required
TRUST_PROXY=true                  # Required for reverse proxy
COOKIE_SECURE=true                # Required for HTTPS
ALLOWED_ORIGINS=https://your-domain.com  # Required for CORS

See the Production Deployment Guide for complete setup instructions.

๐Ÿ™ Credits

Thanks to the community for reporting these production deployment issues!

๐Ÿค– Generated with Claude Code

๐Ÿš€ MeshMonitor v2.4.1

๐Ÿ“ฆ Installation

Docker (recommended): 

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:v2.4.1

๐Ÿงช Testing

โœ… All tests passed
โœ… TypeScript checks passed
โœ… Docker images built for linux/amd64, linux/arm64, linux/arm/v7

๐Ÿ“‹ Changes

See commit history for detailed changes.

Check out latest releases or
releases around Yeraze/meshmonitor v2.4.1

Don't miss a new meshmonitor release

NewReleases is sending notifications on new releases.

Get notifications