Skip to main content

Web Framework Integrations

Anubis works as a reverse proxy in front of your application. This guide covers framework-specific configurations to ensure smooth integration.

WordPress

WordPress is the most popular blog engine on the planet.

Multi-site Setup with TLS Termination

If you have a multi-site setup where traffic goes through Anubis like this: WordPress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the /wp-admin/ routes. Solution: Add the following to your wp-config.php file: 
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
    $_SERVER['SERVER_PORT'] = 443;
}
This makes WordPress think that your connection is over HTTPS instead of plain HTTP.

HTMX

HTMX is a framework that enables you to write applications using hypertext as the engine of application state. This enables you to simplify your server side code by having it return HTML instead of JSON. This can interfere with Anubis because Anubis challenge pages also return HTML.

Allow HTMX Requests After Challenge

To work around this, you can make a custom [expressionexpression rule that allows HTMX requests if the user has passed a challenge in the past: 
- name: allow-htmx-iff-already-passed-challenge
  action: ALLOW
  expression:
    all:
      - '"Cookie" in headers'
      - 'headers["Cookie"].contains("anubis-auth")'
      - '"Hx-Request" in headers'
      - 'headers["Hx-Request"] == "true"'
This rule:
  1. Checks that the request has cookies
  2. Verifies the anubis-auth cookie is present
  3. Confirms this is an HTMX request via the Hx-Request header
  4. Allows the request to pass through
This will reduce some security because it does not assert the validity of the Anubis auth cookie, however in trade it improves the experience for existing users.

General Integration Tips

Setting the Target

Configure Anubis to proxy to your backend application: 
TARGET=http://localhost:3000

Custom Headers

If your framework needs specific headers, use the target host configuration: 
TARGET_HOST=myapp.example.com

Base Prefix

If your application is served under a subpath: 
BASE_PREFIX=/myapp
STRIP_BASE_PREFIX=true
For multi-domain setups: 
COOKIE_DOMAIN=.example.com
Or use dynamic domain detection: 
COOKIE_DYNAMIC_DOMAIN=true

Framework-Specific Challenges

Single Page Applications (SPAs)

For React, Vue, Angular, etc.:
  • Ensure your SPA can handle the initial challenge page
  • Consider using the og-passthrough feature for better social sharing
  • Configure proper redirect domains

API-First Applications

For applications that primarily serve JSON:
  • Use the /api/check endpoint for auth validation
  • Configure policies to ALLOW authenticated API requests
  • Consider using JWT restriction headers for additional security

Server-Side Rendered Applications

For Next.js, Nuxt, SvelteKit, etc.:
  • These typically work out of the box
  • Ensure cookies are properly forwarded
  • Test your build process with Anubis in front

Troubleshooting

Redirect Loops

If you’re experiencing redirect loops:
  1. Check X-Forwarded-Proto header handling
  2. Verify COOKIE_SECURE matches your TLS setup
  3. Review COOKIE_SAME_SITE configuration

CORS Issues

If CORS is blocking requests:
  1. Ensure your backend CORS settings allow the Anubis cookie
  2. Check that COOKIE_SAME_SITE is appropriate for your setup
  3. Verify REDIRECT_DOMAINS includes all necessary origins

Session Management

If sessions aren’t persisting:
  1. Configure COOKIE_EXPIRATION_TIME appropriately
  2. Ensure ED25519_PRIVATE_KEY_HEX is set for persistence
  3. Verify your store backend is properly configured

Build docs developers (and LLMs) love

Get started for freeTalk to us