With the previous default of 'loopback', Express ignored X-Forwarded-Proto
headers from Caddy/nginx when running in Docker (bridge IP, not loopback).
This caused req.secure=false, which made express-session silently drop the
session cookie on login - resulting in a 401 on every subsequent request.
Changing the default to 1 (trust one proxy hop) fixes this for all standard
Docker+reverse-proxy deployments without requiring manual configuration.
docker-compose.yml now references ghcr.io/ulsklyc/oikos:latest so users
can start the app with a single 'docker compose up' without cloning or
building locally. The build: . entry is retained for contributors who
want to build from source with --build.
README Quick Start updated to document both the no-clone path (curl
docker-compose + .env.example) and the build-from-source path.
- CSP: SHA-256-Hash für Theme-Detection Inline-Script hinzugefügt
- docker-compose: SESSION_SECURE=false, damit HSTS und
upgrade-insecure-requests bei direktem HTTP-Zugriff deaktiviert sind
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add .dockerignore to prevent host node_modules (GLIBC 2.38) from
overwriting container-built binaries (GLIBC 2.36), fixing
better-sqlite3 ERR_DLOPEN_FAILED crash
- Bind port to 0.0.0.0 for LAN access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Ulas