The 403 "Forbidden" on production was caused by ModSecurity WAF
(OWASP CRS 3.3.7) blocking PATCH/POST requests at the nginx layer,
not by Next.js server actions CSRF. Nginx proxy_set_header Host $host
ensures Origin and Host always match, making allowedOrigins redundant.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Next.js has its own CSRF protection for server actions, separate from
Payload's csrf config. Without allowedOrigins, server actions from the
admin panel behind a reverse proxy are rejected because the Origin header
(cms.c2sgmbh.de) doesn't match the Host header (localhost:3001).
Also removes temporary debug logging from multiTenant access check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Breaking changes addressed:
- Migrate middleware.ts → proxy.ts (Next.js 16 deprecation)
- Remove eslint config from next.config.mjs (moved to eslint.config.mjs)
- Add turbopack.resolveAlias for TypeScript/ESM compatibility
- Use --webpack flag for production builds (Turbopack stable in 16.1.0)
Notes:
- @payloadcms/next peer dependency warning (expects Next.js 15.x)
- Turbopack used for development, Webpack for production builds
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update payload.config.ts with new collections, blocks, and globals
- Configure i18n with DE/EN localization support
- Add multi-tenant plugin configuration
- Update ecosystem.config.cjs for PM2
- Regenerate payload-types.ts and importMap.js
- Add prettier configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
