Polar and Better Auth "Missing or null Origin"}
Unanswered
Mike posted this in #help-forum
MikeOP
We're getting the error "Missing or null Origin" with Polar and better-auth.
Adding Polar to the trusted domains doesn't help, as Polar doesn't send origin headers.
Enabling
Does anyone have an idea how we can implement this properly?
Adding Polar to the trusted domains doesn't help, as Polar doesn't send origin headers.
Enabling
disableCSRFCheck: true works, but that's not a good solution.Does anyone have an idea how we can implement this properly?
7 Replies
Saltwater Crocodile
Hi @Mike The issue occurs because better-auth's CSRF protection requires an Origin header, which is expected for browser-based requests.
Polar webhooks are server-to-server calls and don't include an Origin header, so the request is rejected as "Missing or null Origin"
Adding Polar to trusted domains doesn't help since there's no Origin header to validate.
While disableCSRFCheck: true works, it disables protection globally, which isn't ideal.
so you have to keep SCRF enabled globally and exclude the Polar webhook endpoint from SCRF validation
then secure the webhook using Polar's signature verification
MikeOP
Thank You 🙂