Add workaround for http CSP configuration for WebKit browsers.

Byron · nshcr · claude · Byron · commit e33eb4973e6e · 2026-02-06T13:12:04.000+01:00
WebKit's security mechanisms block HTTP requests from applications, preventing GitButler from connecting to self-hosted instances over plain HTTP even with correct CSP configuration. Document using Caddy as a local HTTPS reverse proxy as a workaround. Based on: gitbutlerapp/gitbutler#12242 (comment) Co-authored-by: nshcr <104677079+nshcr@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/content/docs/troubleshooting/custom-csp.mdx b/content/docs/troubleshooting/custom-csp.mdx
@@ -62,4 +62,44 @@ Note that if `extraCsp` is the only entry in the JSON file, you may want to encl
 }
 ```
 
-The changes will take effect the next time you start GitButler.
+The changes will take effect the next time you start GitButler.
+
+## HTTP Instances on macOS
+
+On macOS, WebKit's security mechanisms block insecure (HTTP) network requests initiated from applications. This means that even with the correct CSP configuration, GitButler will not be able to connect to self-hosted instances served over plain HTTP. Other platforms may exhibit similar behavior depending on their WebView implementation.
+
+A practical workaround is to run a local HTTPS reverse proxy using [Caddy](https://caddyserver.com). Caddy automatically generates a locally-trusted TLS certificate, so GitButler sees a secure connection while your self-hosted instance continues to run over HTTP.
+
+### Setting Up a Local HTTPS Proxy with Caddy
+
+The following example shows how to set this up on macOS using [Homebrew](https://brew.sh), but the same approach works on any platform where Caddy is available.
+
+1. Install Caddy:
+
+```sh
+brew install caddy
+```
+
+2. Create a `Caddyfile` (for example in `~/.config/caddy/Caddyfile`) with the following content:
+
+```caddyfile
+https://127.0.0.1:PORT {
+    tls internal
+
+    reverse_proxy http://YOUR_INSTANCE:PORT {
+        header_up Host YOUR_INSTANCE_HOSTNAME
+    }
+}
+```
+
+Replace `YOUR_INSTANCE` and `PORT` with the hostname and port of your self-hosted instance. The `header_up Host` directive ensures the original `Host` header is forwarded correctly.
+
+3. Start Caddy:
+
+```sh
+caddy run --config ~/.config/caddy/Caddyfile
+```
+
+4. In GitButler, set your forge URL to `https://127.0.0.1:PORT` (matching the port from your Caddyfile) instead of the original HTTP URL.
+
+Your self-hosted instance will now be accessible to GitButler through the local HTTPS proxy.
