paulmataruso/Palmr
1
0
Fork 0
mirror of https://github.com/kyantech/Palmr.git synced 2025-10-22 22:02:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Safari cross-site tracking documentation

Browse Source 
- Update reverse-proxy-configuration.mdx with new sameSite behavior
- Add Safari-specific troubleshooting section
- Document SECURE_SITE=true requirement for cross-domain deployments

Co-authored-by: danielalves96 <62755605+danielalves96@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-10-21 17:24:06 +00:00
parent f9f20462ef
commit 1eeafaf377
2 changed files with 43 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/docs/content/docs/3.2-beta/reverse-proxy-configuration.mdx
View File

@@ -17,8 +17,10 @@ The `SECURE_SITE` variable configures how Palmr. handles authentication cookies
| Value | Cookie Settings | Use Case |
| ------- | ------------------------------------- | ----------------------------------- |
| `true` | `secure: true`, `sameSite: "lax"` | HTTPS/Production with reverse proxy |
| `false` | `secure: false`, `sameSite: "strict"` | HTTP/Development (default) |
| `true` | `secure: true`, `sameSite: "none"` | HTTPS/Production with reverse proxy |
| `false` | `secure: false`, `sameSite: "lax"` | HTTP/Development (default) |
> **🔒 Safari Cross-Site Tracking**: When `SECURE_SITE=true`, cookies use `sameSite: "none"` to support Safari's Cross-Site Tracking prevention when the frontend and backend are on different domains/subdomains.
### When to Use SECURE_SITE=true

39
apps/docs/content/docs/3.2-beta/troubleshooting.mdx
View File

@@ -194,6 +194,45 @@ docker exec palmr stat /app/server/uploads/your-file.txt
See our [OIDC Configuration Guide](/docs/3.0-beta/oidc-authentication) for detailed setup.
### Safari: Images Don't Render and Downloads Are Corrupted
**Symptoms:**
- Images show as broken/loading icon in Safari
- Downloaded files are corrupted
- Works fine on localhost but fails on production domain
- Only affects Safari with "Cross-Site Tracking Prevention" enabled
**Cause:**
Safari blocks cookies when the frontend and backend are on different domains/subdomains due to Cross-Site Tracking prevention.
**Solution:**
1. **Enable secure cookies in your server `.env`:**
```bash
SECURE_SITE=true
```
2. **Ensure HTTPS is enabled:**
The `sameSite: none` cookie attribute requires HTTPS. Make sure your reverse proxy (nginx, Traefik, etc.) is configured with SSL/TLS.
3. **Restart the server:**
```bash
docker-compose down && docker-compose up -d
```
**Verification:**
- Check browser dev tools → Application → Cookies
- Look for the `token` cookie with:
- ✅ `Secure` flag enabled
- ✅ `SameSite=None`
- ✅ `HttpOnly` flag enabled
> **💡 Note**: This requires HTTPS. If using HTTP in development, keep `SECURE_SITE=false`.
---
## 🌐 Network Issues