Dify widget Vanilla : (!6) · Merge requests · project / dify

Added a stateless server-side proxy with 4 whitelisted routes: POST /proxy/{config}/chat-messages (SSE, CSRF required) GET /proxy/{config}/messages GET /proxy/{config}/messages/{id}/suggested POST /proxy/{config}/messages/{id}/feedbacks (CSRF required) All routes are public (_access: TRUE). CSRF enforced on POST only. New ProxyController forwards to Dify adding Authorization server-side. No token in the browser. Kept SSE smooth: StreamedResponse, disabled buffering/compression, released session lock, small read chunks + flush. Updated JS to call local proxy URLs; removed Authorization header; lazy-fetch X‑CSRF‑Token only on first POST.

Closes #3540395

Dify widget Vanilla :

Merge request reports