From eb6e3fa88558f5a3f2bcab088e0be2e69d95aa23 Mon Sep 17 00:00:00 2001
From: Stacy Olivas <kg7qin@arrl.net>
Date: Thu, 9 Apr 2026 21:20:19 -0700
Subject: [PATCH] fix: add X-Requested-With header to zombie-recover and
 radio-offline-clear fetch calls

Both banner action buttons were posting without the required
X-Requested-With header, causing the CSRF guard to return 403.
---
 modules/web_viewer/templates/base.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/web_viewer/templates/base.html b/modules/web_viewer/templates/base.html
index f4c7eb7..94157d3 100644
--- a/modules/web_viewer/templates/base.html
+++ b/modules/web_viewer/templates/base.html
@@ -488,7 +488,7 @@
         btn.innerHTML = '<i class="fas fa-spinner fa-spin me-1"></i>Restarting\u2026';
         fetch('/api/admin/zombie-recover', {
             method: 'POST',
-            headers: {'Content-Type': 'application/json'}
+            headers: {'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest'}
         })
         .then(function(r) { return r.json(); })
         .then(function(data) {
@@ -544,7 +544,7 @@
         btn.innerHTML = '<i class="fas fa-spinner fa-spin me-1"></i>Clearing\u2026';
         fetch('/api/admin/radio-offline-clear', {
             method: 'POST',
-            headers: {'Content-Type': 'application/json'}
+            headers: {'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest'}
         })
         .then(function(r) { return r.json(); })
         .then(function(data) {