1. What is the issue? Please be detailed.
I have upgraded from ODK Central 2025.2 to 2025.3 on my server behind a reverse proxy. After doing so, I can no longer log in. Instead, I receive the message:
There was a problem logging out. This authentication method is only available over HTTPS Please refresh the page and try again.
In the server logs, I see:
[17/Dec/2025:19:15:25 +0000] "DELETE /v1/sessions/current HTTP/1.0" 401 82
I believe this is a bug, since I access other routes (e.g. I can reset my password successfully):
nginx-1 | 172.18.0.1 - - [17/Dec/2025:19:15:15 +0000] "POST /v1/users/reset/verify HTTP/1.1" 200 16 "https:[my.domain.com]/account/claim?token=[my_token]" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0"
service-1 | ::ffff:172.18.0.8 - - [17/Dec/2025:19:15:15 +0000] "POST /v1/users/reset/verify HTTP/1.0" 200 16
I am suspicious that either the recent changes to dependencies or the changes to CSP have introduced this issue. For reference, my network diagram for accessing this server is:
client machine ← https → gateway VPS ← HTTP over wireguard → ODK central server.
It could also be related to this commit message.
2. What steps can we take to reproduce this issue?
3. What have you tried to fix the issue?
I tried to use the HTTPS_PORT variable to serve my ODK central server, but was unable to solve the issue. Perhaps there is an HTTP header I need to set? There is nothing in the upgrade notes about this change.
I have seen the Central API includes the note:
In addition, because credentials are sent in plaintext as part of the request, the server will only accept Basic auth over HTTPS. If your ODK Central server is set up over plain HTTP, it will not accept Basic auth.
However, I cannot see a changelog for this documentation to see if this was a recent change or not to get more insight into the causes.
4. Upload any forms or screenshots you can share publicly below.
N/A.