2026-05-18 13:55:42 +02:00
2 changed files with 12 additions and 3 deletions
@@ -2,6 +2,13 @@ import type { APIRoute } from 'astro';

 const FORBIDDEN_HEADERS = new Set([
  'host', 'connection', 'content-length', 'transfer-encoding', 'origin', 'referer',
+  'accept-encoding',
+]);
+
+// Node fetch auto-decompresses the response body, so any encoding/length
+// headers from the upstream no longer match what we forward to the browser.
+const FORBIDDEN_RESPONSE_HEADERS = new Set([
+  'content-encoding', 'content-length', 'transfer-encoding',
 ]);

 export const ALL: APIRoute = async ({ request, params }) => {
@@ -39,8 +46,10 @@ export const ALL: APIRoute = async ({ request, params }) => {

    const responseHeaders = new Headers();
    response.headers.forEach((value, key) => {
+      const k = key.toLowerCase();
      // Set-Cookie can repeat and must NOT be merged. Handle it separately below.
-      if (key.toLowerCase() === 'set-cookie') return;
+      if (k === 'set-cookie') return;
+      if (FORBIDDEN_RESPONSE_HEADERS.has(k)) return;
      responseHeaders.set(key, value);
    });
    // @ts-ignore — getSetCookie is on Node fetch's Headers
@@ -11,8 +11,8 @@ if (!response.ok) {
 const headers = new Headers();
 const contentType = response.headers.get('content-type');
 if (contentType) headers.set('content-type', contentType);
-const contentLength = response.headers.get('content-length');
-if (contentLength) headers.set('content-length', contentLength);
+// Skip content-length / content-encoding: Node fetch auto-decompresses the
+// upstream response, so any length/encoding from the backend is stale.
 const etag = response.headers.get('etag');
 if (etag) headers.set('etag', etag);
 const lastModified = response.headers.get('last-modified');