From 40f66eda350c43704d65c38ee213467d9e5c9e62 Mon Sep 17 00:00:00 2001
From: Martin Porwoll <martin.porwoll@complexcaresolutions.de>
Date: Wed, 14 Jan 2026 17:01:45 +0000
Subject: [PATCH] fix(security): add c2sgmbh.de to CSRF production domains

Add missing production domain for cms.c2sgmbh.de to the CSRF
origin validation whitelist.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/lib/security/csrf.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/security/csrf.ts b/src/lib/security/csrf.ts
index 0555bae..c4656d1 100644
--- a/src/lib/security/csrf.ts
+++ b/src/lib/security/csrf.ts
@@ -142,7 +142,7 @@ export function validateOrigin(origin: string | null): { valid: boolean; reason?
   }
 
   // Subdomain-Matching für Produktions-Domains
-  const productionDomains = ['pl.porwoll.tech', 'porwoll.de', 'complexcaresolutions.de', 'gunshin.de']
+  const productionDomains = ['pl.porwoll.tech', 'c2sgmbh.de', 'porwoll.de', 'complexcaresolutions.de', 'gunshin.de']
 
   for (const domain of productionDomains) {
     if (origin.endsWith(domain) && origin.startsWith('https://')) {