fix: resolve CSRF issue in Community QuickStart

[probelabs]

Problem / Task

Fix CSRF issue in Community QuickStart (Issue #367). The trusted origins didn't match up and the QuickStart was using pre-release images.

Changes

• Added DEVMODE=true to quickstart/confs/midsommar-ce.env
• Changed the host port in quickstart/ce/compose.yaml to 3000:8080 to match the SITE_URL setting (http://localhost:3000)
• Updated the images in quickstart/ce/compose.yaml to use v2.0.0 instead of pre-release-latest-ce for both midsommar and mgw
• Updated quickstart/README.md to reflect the port change for CE

Testing

• Verified the configuration changes match the requirements for resolving the CSRF issue.

[probelabs]

This PR resolves a Cross-Site Request Forgery (CSRF) issue in the Community Edition QuickStart setup by aligning configuration settings. The SITE_URL was set to http://localhost:3000, but the service was exposed on port 8585, causing an origin mismatch. This has been corrected by changing the port mapping to 3000:8080.

Additionally, the Docker images for the midsommar and mgw services have been updated from a volatile pre-release-latest-ce tag to the stable v2.0.0 version, ensuring a more reliable and reproducible setup. The DEVMODE=true flag has also been enabled in the environment configuration to support local development, and the documentation has been updated to reflect the port change.

Files Changed Analysis

• quickstart/README.md: Updated the documentation to reflect the new UI port for the Community Edition (3000).
• quickstart/ce/compose.yaml: Aligned the host port mapping to 3000:8080 to match the SITE_URL. Updated midsommar and mgw service images to v2.0.0 for stability.
• quickstart/confs/midsommar-ce.env: Added DEVMODE=true to the environment configuration, which disables secure cookies and CSRF protection for localhost development.

Architecture & Impact Assessment

• Accomplishment: Fixes a CSRF misconfiguration in the CE QuickStart environment and improves its stability by using versioned Docker images.
• Key Technical Changes: The core of the fix is synchronizing the Docker port mapping with the SITE_URL environment variable. When a user accesses http://localhost:3000, the browser's Origin header now matches the backend's trusted origin, resolving the CSRF error. Enabling DEVMODE further simplifies local development by relaxing security constraints.
• Affected Components: This change is scoped to the local development/demo environment defined in quickstart/ce. It affects how the midsommar application is configured and exposed via Docker but does not alter the application's source code.

graph TD
    subgraph "User's Machine"
        A["Browser @ http://localhost:3000"]
    end

    subgraph "Docker"
        B("Port Mapping: 3000:8080")
        C["midsommar container"]
    end

    subgraph "midsommar container"
        D["Application running on port 8080"]
        E["Configuration: SITE_URL=http://localhost:3000"]
    end

    A --|Request with Origin: http://localhost:3000|--> B
    B --|Forwards to internal port 8080|--> D
    D --|Validates Origin against SITE_URL|--> E
    E --|Matches|--> D
    D --|Processes request|--> B
    B --|Response|--> A

Loading

Scope Discovery & Context Expansion

The changes are confined to the configuration files for the Community Edition QuickStart (quickstart/ce/ and quickstart/confs/). The fix highlights the critical relationship between the public-facing URL (SITE_URL and the Docker port mapping) and the application's security model (CSRF protection). The addition of DEVMODE=true was a key piece of context; a code search revealed that this flag disables secure cookies and CSRF protection when the site URL is localhost, which is a common practice to streamline local development workflows.

Metadata

• Review Effort: 1 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-03T17:49:00.871Z | Triggered by: pr_opened | Commit: ecd5207

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟡 Warning	quickstart/confs/midsommar-ce.env:3	Enabling `DEVMODE=true` in a quickstart configuration may inadvertently encourage insecure production deployments. This mode disables CSRF protection and enables other development-only features, which is not suitable for production environments. 💡 Suggestion The CSRF issue should be resolved by correctly configuring trusted origins via `CSRF_TRUSTED_ORIGINS` instead of disabling security features with `DEVMODE`. Remove `DEVMODE=true` and add `CSRF_TRUSTED_ORIGINS=http://localhost:3000` to the environment file. This provides the intended CSRF protection for the quickstart environment.

Security Issues (1)

Severity	Location	Issue
🟡 Warning	quickstart/confs/midsommar-ce.env:3	Enabling `DEVMODE=true` in a quickstart configuration may inadvertently encourage insecure production deployments. This mode disables CSRF protection and enables other development-only features, which is not suitable for production environments. 💡 Suggestion The CSRF issue should be resolved by correctly configuring trusted origins via `CSRF_TRUSTED_ORIGINS` instead of disabling security features with `DEVMODE`. Remove `DEVMODE=true` and add `CSRF_TRUSTED_ORIGINS=http://localhost:3000` to the environment file. This provides the intended CSRF protection for the quickstart environment.

\n\n ### Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	quickstart/confs/midsommar-ce.env:3	Enabling `DEVMODE=true` in the default quickstart configuration for the Community Edition may expose users to security risks. This mode disables CSRF protection, which is not ideal for a default setup, even for local development, as it promotes insecure practices. The CSRF issue should be resolved by correctly configuring trusted origins, not by disabling the protection mechanism. 💡 Suggestion Instead of enabling `DEVMODE`, ensure the `SITE_URL` and related CORS/CSRF configurations correctly reflect the quickstart environment's setup. The primary fix for the CSRF issue is aligning the port in `compose.yaml` with the `SITE_URL`, which has been done. Adding `DEVMODE=true` is an unnecessary and potentially insecure addition. Remove `DEVMODE=true`.

Performance Issues (1)

Severity	Location	Issue
🟡 Warning	quickstart/confs/midsommar-ce.env:3	The `DEVMODE=true` flag has been added to the environment configuration for the Community Edition QuickStart. While this is useful for development to resolve CSRF issues by disabling CSRF protection, it can have significant performance implications. Development modes often enable verbose logging, disable caches, and add other debugging overhead that is not suitable for production or performance-sensitive environments. This setting also has security implications by disabling CSRF checks. 💡 Suggestion For any use case beyond local development and debugging, `DEVMODE` should be set to `false`. The configuration should be updated to use more secure and performant methods for handling cross-origin requests, such as properly configuring `SITE_URL` and trusted origins, rather than disabling security features. Consider adding comments to the `.env` file to warn users about the implications of running in `DEVMODE`.

---

Powered by Visor from Probelabs

Last updated: 2026-04-03T17:48:32.910Z | Triggered by: pr_opened | Commit: ecd5207

💡 TIP: You can chat with Visor using /visor ask <your question>