CSP errors after login — possibly caused by http:// in environment.json API URL?
🏬Self-hosted❓Question✅Solved
Environment: Self Hosting
Version: 4.11.0
Stack: Zitadel + Zitadel Login
Hi everyone,
I'm new here. I'm running Zitadel behind an Nginx reverse proxy with SSL termination in a local dev environment using mkcert.
After login, I noticed some CSP errors in the browser console. While investigating, I checked the console's environment file:
And got this response:
The api field is using http:// while issuer is correctly using https://. I suspect this mismatch is the root cause of the CSP errors I'm seeing after login, since the browser would block mixed-content requests.
My setup overview:
- Nginx handles SSL termination and proxies to Zitadel internally over plain HTTP
- X-Forwarded-Proto: https is set in the Nginx proxy config
- ZITADEL_EXTERNALSECURE is true and ZITADEL_EXTERNALPORT is 443
- Container login's environment ZITADEL_API_URL access http
Is there a specific Zitadel configuration that controls the api URL in environment.json separately from issuer? Or is something wrong with how Zitadel or my Nginx config reads the forwarded headers in this setup?
Thanks in advance!
Version: 4.11.0
Stack: Zitadel + Zitadel Login
Hi everyone,
I'm new here. I'm running Zitadel behind an Nginx reverse proxy with SSL termination in a local dev environment using mkcert.
After login, I noticed some CSP errors in the browser console. While investigating, I checked the console's environment file:
And got this response:
The api field is using http:// while issuer is correctly using https://. I suspect this mismatch is the root cause of the CSP errors I'm seeing after login, since the browser would block mixed-content requests.
My setup overview:
- Nginx handles SSL termination and proxies to Zitadel internally over plain HTTP
- X-Forwarded-Proto: https is set in the Nginx proxy config
- ZITADEL_EXTERNALSECURE is true and ZITADEL_EXTERNALPORT is 443
- Container login's environment ZITADEL_API_URL access http
Is there a specific Zitadel configuration that controls the api URL in environment.json separately from issuer? Or is something wrong with how Zitadel or my Nginx config reads the forwarded headers in this setup?
Thanks in advance!
