Match Origin to Host

To prevent cross-side request forgery, if the Origin header line is present, the HTTP interface must match it to the Host header. If it does not match, the request must be rejected (presumably with error 403, or maybe 401?).

If the header line is not present, then there is nothing to do; this preserves compatibility with non-web based controls.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information