frontend/src/pages/api/[...path].ts

@@ -2,6 +2,13 @@ import type { APIRoute } from 'astro';
 
 const FORBIDDEN_HEADERS = new Set([
   'host', 'connection', 'content-length', 'transfer-encoding', 'origin', 'referer',
+  'accept-encoding',
+]);
+
+// Node fetch auto-decompresses the response body, so any encoding/length
+// headers from the upstream no longer match what we forward to the browser.
+const FORBIDDEN_RESPONSE_HEADERS = new Set([
+  'content-encoding', 'content-length', 'transfer-encoding',
 ]);
 
 export const ALL: APIRoute = async ({ request, params }) => {
@@ -39,8 +46,10 @@ export const ALL: APIRoute = async ({ request, params }) => {
 
     const responseHeaders = new Headers();
     response.headers.forEach((value, key) => {
+      const k = key.toLowerCase();
       // Set-Cookie can repeat and must NOT be merged. Handle it separately below.
-      if (key.toLowerCase() === 'set-cookie') return;
+      if (k === 'set-cookie') return;
+      if (FORBIDDEN_RESPONSE_HEADERS.has(k)) return;
       responseHeaders.set(key, value);
     });
     // @ts-ignore — getSetCookie is on Node fetch's Headers

frontend/src/pages/uploads/[...path].astro

@@ -11,8 +11,8 @@ if (!response.ok) {
 const headers = new Headers();
 const contentType = response.headers.get('content-type');
 if (contentType) headers.set('content-type', contentType);
-const contentLength = response.headers.get('content-length');
+// Skip content-length / content-encoding: Node fetch auto-decompresses the
-if (contentLength) headers.set('content-length', contentLength);
+// upstream response, so any length/encoding from the backend is stale.
 const etag = response.headers.get('etag');
 if (etag) headers.set('etag', etag);
 const lastModified = response.headers.get('last-modified');