From d6ec64bffdfa7aaf1be540bd83ed8384f8de98c0 Mon Sep 17 00:00:00 2001
From: BeauTroll <->
Date: Tue, 6 Jan 2026 11:48:11 +0100
Subject: [PATCH] Fix CSRF verification by improving Traefik proxy headers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove empty X-Forwarded-For header and add X-Scheme header to properly handle HTTPS requests. Add X-Frame-Options for improved security.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 docker-compose.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 206a66d..a3d524e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,8 +44,9 @@ services:
       - "traefik.http.routers.seafile.middlewares=seafile-headers"
       - "traefik.http.services.seafile.loadbalancer.server.port=80"
       - "traefik.http.middlewares.seafile-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.seafile-headers.headers.customrequestheaders.X-Forwarded-For="
       - "traefik.http.middlewares.seafile-headers.headers.customrequestheaders.X-Forwarded-Host=${SEAFILE_SERVER_HOSTNAME}"
+      - "traefik.http.middlewares.seafile-headers.headers.customrequestheaders.X-Scheme=https"
+      - "traefik.http.middlewares.seafile-headers.headers.customresponseheaders.X-Frame-Options=SAMEORIGIN"
     depends_on:
       - db
       - memcached