dc286a67d1
PrivateBin's UI POSTs the encrypted blob to `/` via XHR. With Anubis in front, the catch-all CHALLENGE rule returned an HTML challenge page where the JS expected JSON, so paste creation failed silently for every user. The challenge cookie didn't bypass it — Anubis appears to issue a fresh challenge on POST regardless of cookie state. Pastes are client-side encrypted; AI scrapers gain nothing from indexing them, so the default `anti_ai_scraping` middleware is enough protection. Restoring the ingress to point straight at the privatebin service. CSP `wasm-unsafe-eval` retained — PrivateBin's zlib.wasm needs it independent of Anubis. This matches the rule already documented in infra/.claude/CLAUDE.md: "DO NOT put Anubis in front of Git/API/WebDAV/CLI endpoints — clients without JS can't solve PoW." A SPA's XHR is the same shape. Verified: GET / returns PrivateBin HTML (not the Anubis challenge), POST / returns PrivateBin's own JSON error envelope. |
||
|---|---|---|
| .. | ||
| .terraform.lock.hcl | ||
| backend.tf | ||
| main.tf | ||
| providers.tf | ||
| secrets | ||
| terragrunt.hcl | ||