revert: remove unnecessary serverActions.allowedOrigins

The 403 "Forbidden" on production was caused by ModSecurity WAF (OWASP CRS 3.3.7) blocking PATCH/POST requests at the nginx layer, not by Next.js server actions CSRF. Nginx proxy_set_header Host $host ensures Origin and Host always match, making allowedOrigins redundant. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 15:04:14 +00:00 · 2026-02-25 13:52:34 +00:00 · 2026-02-25 13:52:34 +00:00 · a5f8c43f81
commit a5f8c43f81
parent a77c2b747d
1 changed files with 0 additions and 8 deletions
--- a/next.config.mjs
+++ b/next.config.mjs
@ -7,14 +7,6 @@ const nextConfig = {
    // Use fewer workers for builds on low-memory systems
    workerThreads: false,
    cpus: 1,
-    // Allow server actions from these origins (behind reverse proxy)
-    serverActions: {
-      allowedOrigins: [
-        'pl.porwoll.tech',
-        'pl.c2sgmbh.de',
-        'cms.c2sgmbh.de',
-      ],
-    },
  },
  // Webpack configuration for TypeScript/ESM compatibility
  webpack: (webpackConfig) => {