All POST requests with Content-Type: application/json and a request body are timing out after 20-30 seconds with 0 bytes received. GET requests work perfectly fine (returning 200 OK in <1 second). This makes authentication and all write operations completely non-functional in production. ERROR MESSAGES: - curl error: "Operation timed out after 30005 milliseconds with 0 bytes received" - HTTP Status: 000 (no response) - Browser console: "Failed to fetch" / Network timeout errors - No error logs appear in Railway deployment logs (requests never reach the service) LOGS (BUILD AND/OR DEPLOY): Build logs show successful deployment: ✓ Service deployed successfully ✓ All health checks passing ✓ GET endpoints responding normally Deploy logs show: ✓ GET /health → 200 OK (0.640s) ✓ GET /api/auth/public-key → 200 OK (0.623s) ✓ POST /api/security/csrf-token (no body) → 404 in 0.598s POST /api/auth/login (with JSON) → NO LOGS (request never arrives) POST /api/applications/search (with JSON) → NO LOGS (request never arrives) The critical finding: POST requests with JSON payloads generate ZERO logs in Railway deployment logs, suggesting they are being dropped/blocked before reaching our service. GITHUB REPO/CODE/TEMPLATE: Repository: Private (admission system for school) Template: Node.js/Express backend deployed to Railway Project URL: https://admisionmtnbackendv2-production.up.railway.app Project Name: admisionmtnbackendv2-production REPRODUCTION STEPS: 1. Execute this curl command: curl -X POST "https://admisionmtnbackendv2-production.up.railway.app/api/auth/login" \ -H "Content-Type: application/json" \ -d '{"email":"test@mtn.cl","password":"test123"}' \ --max-time 30 -v 2. Observe: Request hangs for 30 seconds 3. Result: Timeout with 0 bytes received 4. Check Railway logs: No entry for this request (never reached service) WORKING COMPARISON (Local): Same exact code on localhost:8080 works perfectly: - Response time: 77ms - Status: 200 OK - Returns valid JWT token PATTERN OBSERVED: GET requests → Work perfectly POST without body → Work perfectly (even 404 errors return fast) POST with JSON body → Timeout (0 bytes received) This pattern strongly suggests Railway's infrastructure layer (WAF/Firewall/Proxy) is blocking POST requests with JSON payloads before they reach our service. QUESTIONS FOR RAILWAY SUPPORT: 1. Is there a WAF or firewall rule blocking POST requests with JSON bodies? 2. Can you check Railway-side proxy logs to see what happens to these requests? 3. Is there a rate limiter or security policy we need to configure? 4. How can we whitelist our legitimate POST+JSON traffic? IMPACT: - 100% of users cannot log in - 100% of application submissions failing - Production system completely unusable - Business operations halted URGENT: Need assistance to identify why POST+JSON requests are being blocked/dropped at Railway's infrastructure layer before reaching our deployed service.