Today (July 2, 2025) we released 2.27.9 LTS of Portainer. This patch contains a single change - the addition of the --trusted-origins CLI option (and the equivalent TRUSTED_ORIGINS environment variable) for the Portainer container. This was added as a "workaround" method for those users that have been receiving "Origin invalid" error messages when logging into and interacting with Portainer since the 2.27.7 release.
Edit: We have now also released 2.31.3 STS which includes the --trusted-origins functionality for those on the STS release stream.
What happened
In version 2.27.7 we updated a third-party library (gorilla/csrf) we use as part of the Portainer code to a newer patch version (from 1.7.2 to 1.7.3). While testing this update we noted that the new version of gorilla/csrf was stricter on requirements around Origin and Referer headers than the previous release had been. In order to negate issues as a result of these changes, we added some additional checks - in particular, a check for the X-Forwarded-Proto header from reverse proxies. Our testing around this with HTTPS-to-HTTP and HTTPS-to-HTTPS reverse proxy configurations indicated these checks had resolved the issue the update introduced, so we proceeded with the patch release.
Initially, everything looked good and we saw no issues. However, over time we learned that some users were experiencing issues after this update, in particular those users with proxy configurations outside of our testing scenarios. We first saw these issues on our STS branch (2.30.0 STS) but it was soon clear that people were hitting the issues on 2.27.7 as well. Affected users would receive "Forbidden - Origin invalid" error messages when logging in and/or when interacting with containers and stacks inside Portainer.
Once we were able to identify the actual cause of the issue and who it was affecting, our team set about finding a fix that not only solved the issue for those experiencing it, but did not also introduce breaking changes for those users that were not experiencing issues with their setup, nor added necessary additional configuration steps for those unaffected. To that end, we have now released 2.27.9 LTS to add a new CLI parameter for Portainer - --trusted-origins - as well an equivalent environment variable (TRUSTED_ORIGINS).
The workaround
With the --trusted-origins CLI option or TRUSTED_ORIGINS environment variable you can now specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy. Doing so will flag those domains as trusted, and should eliminate the error messages.
Let's say you are using portainer.mydomain.com as your domain for accessing Portainer via your proxy. You would set --trusted-origins portainer.mydomain.com in your Portainer start configuration to indicate you want to trust this domain. For example, via docker run:
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:lts --trusted-origins portainer.mydomain.com
or via compose, using the environment variable approach instead:
portainer:
image: portainer/portainer-ce:lts
command: -H unix:///var/run/docker.sock
restart: always
environment:
- TRUSTED_ORIGINS=portainer.mydomain.com
Start Portainer and you should now be good to go.
Note that this issue only affects access to Portainer via a web browser - it does not affect Portainer to Agent / Edge Agent communication at all. You should only need to implement this fix if you are running into this issue when trying to log into the Portainer web interface.
Going forward
We consider this workaround as somewhat of a temporary fix in order to get those affected back up and running as soon as possible. Internally we're continuing to work on a better way of handling these sorts of configurations in the future, and hope to have a solution soon that doesn't require manual configuration. We're also looking at our testing scenarios to potentially expand the types of reverse proxy configuration we test against before release.
COMMENTS