From a5f8c43f81be2e798435a72587ef4b8c51ec7627 Mon Sep 17 00:00:00 2001
From: Martin Porwoll <martin.porwoll@complexcaresolutions.de>
Date: Wed, 25 Feb 2026 13:52:34 +0000
Subject: [PATCH] revert: remove unnecessary serverActions.allowedOrigins

The 403 "Forbidden" on production was caused by ModSecurity WAF
(OWASP CRS 3.3.7) blocking PATCH/POST requests at the nginx layer,
not by Next.js server actions CSRF. Nginx proxy_set_header Host $host
ensures Origin and Host always match, making allowedOrigins redundant.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 next.config.mjs | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/next.config.mjs b/next.config.mjs
index 0c9cd13..87421d1 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -7,14 +7,6 @@ const nextConfig = {
     // Use fewer workers for builds on low-memory systems
     workerThreads: false,
     cpus: 1,
-    // Allow server actions from these origins (behind reverse proxy)
-    serverActions: {
-      allowedOrigins: [
-        'pl.porwoll.tech',
-        'pl.c2sgmbh.de',
-        'cms.c2sgmbh.de',
-      ],
-    },
   },
   // Webpack configuration for TypeScript/ESM compatibility
   webpack: (webpackConfig) => {