Payload is the open-source, fullstack Next.js framework, giving you instant backend superpowers. Get a full TypeScript backend and admin panel instantly. Use Payload as a headless CMS or for building powerful applications.
fix: use Sec-Fetch-Site header for cookie authentication validation (#15751)
## Summary - Adds `Sec-Fetch-Site` header validation for cookie-based authentication when `Origin` header is absent - Accepts cookies for `same-origin` and `same-site` requests - Rejects cookies for `cross-site` and `none` requests - Falls back to rejecting cookies when `Sec-Fetch-Site` is absent and `csrf` is configured (non-browser clients should use `Authorization` header) --------- Co-authored-by: Jessica Chowdhury <jessica@trbl.design>
J
Jarrod Flesch committed
ef507a6907717c9d09dfc04391e2156e0aa2d57b
Parent: 46e43fc
Committed by GitHub <noreply@github.com>
on 3/12/2026, 4:31:36 PM