5c7e461dad
The old CSRF middleware used exact string matching against a static list of origins (https://host, http://localhost:port). This broke when the frontend ran on a different port (Vite dev server) or accessed via LAN IP. New behavior: - Origin hostname matching: any Origin whose hostname matches cfg.Host is trusted, regardless of scheme or port - Localhost variants always trusted: localhost, 127.0.0.1, ::1 - Additional origins can be passed explicitly (future env var support)