Problem
When accessing a box via preview URL, the proxy sets `x-forwarded-host` to the container's internal IP instead of the external preview domain:
```
x-forwarded-host: 172.18.0.4:3000 ← internal container IP (wrong)
origin: helped-oyster-93493-3000.preview.box.upstash.com ← browser's origin (correct)
```
Next.js Server Actions compare these two headers for CSRF protection. The mismatch causes all Server Actions to fail:
```
`x-forwarded-host` header with value `172.18.0.4:3000` does not match
`origin` header with value `helped-oyster-93493-3000.preview.box.upstash.com`
from a forwarded Server Actions request. Aborting the action.
⨯ [Error: Invalid Server Actions request.] { digest: '2964103434' }
POST / 500 in 222ms
```
Expected Behavior
The preview proxy should set `x-forwarded-host` to the external preview domain:
```
x-forwarded-host: helped-oyster-93493-3000.preview.box.upstash.com
```
Workaround
Adding `serverActions.allowedOrigins` to next.config:
```typescript
serverActions: {
allowedOrigins: ["*.preview.box.upstash.com"]
}
```
Environment
- `@upstash/box`: 0.1.28
- Next.js: 15.1.7
- Box: helped-oyster-93493
Problem
When accessing a box via preview URL, the proxy sets `x-forwarded-host` to the container's internal IP instead of the external preview domain:
```
x-forwarded-host: 172.18.0.4:3000 ← internal container IP (wrong)
origin: helped-oyster-93493-3000.preview.box.upstash.com ← browser's origin (correct)
```
Next.js Server Actions compare these two headers for CSRF protection. The mismatch causes all Server Actions to fail:
```
`x-forwarded-host` header with value `172.18.0.4:3000` does not match
`origin` header with value `helped-oyster-93493-3000.preview.box.upstash.com`
from a forwarded Server Actions request. Aborting the action.
⨯ [Error: Invalid Server Actions request.] { digest: '2964103434' }
POST / 500 in 222ms
```
Expected Behavior
The preview proxy should set `x-forwarded-host` to the external preview domain:
```
x-forwarded-host: helped-oyster-93493-3000.preview.box.upstash.com
```
Workaround
Adding `serverActions.allowedOrigins` to next.config:
```typescript
serverActions: {
allowedOrigins: ["*.preview.box.upstash.com"]
}
```
Environment