Crossmall

Admin access blocked

Management backend is private

Admin page access control is declared, but the trusted ingress header is missing. The reverse proxy or access gateway must set x-crossmall-admin-access=allowed after authenticating the request.

Declared control
trusted gateway
Missing
x-crossmall-admin-access

`ADMIN_API_TOKEN` is still only a local/staging API smoke fallback. Do not use it as public production admin page authentication.