From d9244d6f3cef8d6d7cba9b00fce2b25621742616 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Thu, 21 May 2026 13:44:59 +0000
Subject: fix(settings): send JSON Content-Type on configuration PUTs

fetch() defaults a string body to text/plain, which SvelteKit's
csrf_check_origin treats as a form submission. Behind portless's
HTTPS-to-HTTP dev proxy the Origin scheme mismatches url.origin
and the requests 403'd. Declaring application/json is correct for
the body and bypasses the form-content-type check.
---
 src/lib/CommandPalette/syncActions.ts | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/lib/CommandPalette/syncActions.ts')

diff --git a/src/lib/CommandPalette/syncActions.ts b/src/lib/CommandPalette/syncActions.ts
index 49859221..90c6a931 100644
--- a/src/lib/CommandPalette/syncActions.ts
+++ b/src/lib/CommandPalette/syncActions.ts
@@ -24,6 +24,7 @@ export const syncActions = (
 
 				fetch(root(`/api/configuration`), {
 					method: "PUT",
+					headers: { "Content-Type": "application/json" },
 					body: JSON.stringify(get(settings)),
 				})
 					.then((response) => {
-- 
cgit v1.2.3