---
title: "Fixed: IndieAuth login broken for third-party apps After adding security…"
date: 2026-02-22T17:20:41.337Z
author: Ricardo Mendes
url: https://rmendes.net/notes/2026/02/22/a202f/
type: notes
categories:
  - "indieweb"
  - "IndieAuth"
  - "Nginx"
ai_text_level: "0"
tokens: 177
content_signal: ai-train=yes, search=yes, ai-input=yes
---

# Fixed: IndieAuth login broken for third-party apps After adding security…

[Fixed](https://github.com/rmdes/indiekit-cloudron/commit/cc7c6ecee2d404c99503e7a316975f572f1f8c17): IndieAuth login broken for third-party apps

After adding security headers (Content-Security-Policy) to harden the site, logging in with IndiePass and other IndieAuth clients silently failed — tapping "authorize" did nothing. 

The culprit was form-action 'self' in the CSP, which blocked Browsers from following the consent form's redirect to the client's callback URL (e.g., indiepass.app/android-callback).

Changed to form-action 'self' https: to allow IndieAuth redirects to any HTTPS callback. Affects all third-party IndieAuth clients (Micropub editors, Microsub readers, etc.), not just IndiePass.
