SearchThis release contains an updated version of the Gorilla CSRF protection library with a fix to
CVE-2025-24358. This fix makes it
necessary to explicitly turn off checks of the HTTPS-specific Origin header if plaintext
connections are used.
See the security settings for the Controller-UI examples for further details.
Installations, that do NOT use TLS need to add the -no-tls flag to their UI server startup
command.
Not adding the -no-tls flag will result in the error message Forbidden - origin invalid when
trying to log in.
Running the Controller-UI behind a reverse proxy such as Varnish or nginx might result in the
error message Forbidden - origin invalid if the HTTP Host header is changed by the proxy.
In Varnish, make sure to not change the req.http.host variable.
In nginx, add the following configuration directive behind the proxy_pass directive:
proxy_set_header Host $http_host;
Installations that use the -tls parameter or TLS termination through external software such as
Hitch or relayd do not need to change
anything.
When using external identity provider with external TLS termination, the parameter
-idp-https-redirect doesn’t need to be set any longer, since the correct URL can not be determined
from the -no-tls parameter.
Setting -idp-https-redirect does not have an effect any longer. It should be removed since with
the next major release, setting the parameter will result in an error.