62d0dab16d
Backend is bound to 127.0.0.1 — only nginx can reach it. Nginx checks cookie_session presence. Adding backend auth broke the LND UI iframe fetch because the session validation was too strict for the cross-proxy cookie flow. The nginx layer is the correct auth gate for this endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>