github nesquena/hermes-webui v0.50.16
v0.50.16 — Fix CSRF check behind reverse proxy on non-standard ports
on GitHub

latest releases: v0.50.24, v0.50.23, v0.50.22...
10 hours ago

What's new in v0.50.16

Fix: CSRF check no longer fails behind reverse proxy on non-standard ports (closes #355)

Deployments behind Nginx Proxy Manager, Caddy, Traefik, or similar on non-standard ports (e.g. :8000) were getting 403 on every POST request. The browser sends Origin: https://app.example.com:8000 but the proxy forwards Host: app.example.com (port stripped). The old string comparison treated these as different origins.

What changed in api/routes.py:

  • _normalize_host_port() — properly parses host:port including IPv6 bracket notation
  • _ports_match(scheme, origin_port, allowed_port) — scheme-aware port equivalence. Absent port = :80 for http:// and :443 for https://. Treats port 80 and port 443 as distinct defaults (not interchangeable).
  • HERMES_WEBUI_ALLOWED_ORIGINS env var — explicit comma-separated allowlist for cases where port normalization alone isn't enough: 
HERMES_WEBUI_ALLOWED_ORIGINS=https://myapp.example.com:8000

Each entry must include the scheme (https://). Entries without a scheme are ignored with a warning.

Security note: A bug in the original PR's _ports_match would have allowed cross-protocol port confusion (an http://host origin passing for an https://host:443 server). Fixed during review by making port defaults scheme-specific.

900 tests | Full changelog

Check out latest releases or
releases around nesquena/hermes-webui v0.50.16

Don't miss a new hermes-webui release

NewReleases is sending notifications on new releases.

Get notifications