From 72ac479f5d0472425fe150c4aacd03d1030b0077 Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Wed, 11 Feb 2026 09:52:56 -0700
Subject: [PATCH] admin: Enforce origin implicitly based on request headers

---
 admin.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/admin.go b/admin.go
index ae9bae795..46f1bbda3 100644
--- a/admin.go
+++ b/admin.go
@@ -849,7 +849,9 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if h.enforceOrigin {
+	_, hasOriginHeader := r.Header["Origin"]
+	_, hasSecHeader := r.Header["Sec-Fetch-Mode"]
+	if h.enforceOrigin || hasOriginHeader || hasSecHeader {
 		// cross-site mitigation
 		origin, err := h.checkOrigin(r)
 		if err != nil {