Admin access blocked
Management backend is private
Admin page access control is declared, but the trusted ingress header is missing. The reverse proxy or access gateway must set x-crossmall-admin-access=allowed after authenticating the request.
- Declared control
- trusted gateway
- Missing
- x-crossmall-admin-access
`ADMIN_API_TOKEN` is still only a local/staging API smoke fallback. Do not use it as public production admin page authentication.