fix(proxy): block proxy-connection hop-by-hop header from client responses
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #304.
This commit is contained in:
Marcel
@@ -12,7 +12,8 @@ const HOP_BY_HOP_HEADERS = new Set([
|
|||||||
'proxy-authenticate',
|
'proxy-authenticate',
|
||||||
'proxy-authorization',
|
'proxy-authorization',
|
||||||
'te',
|
'te',
|
||||||
'trailer'
|
'trailer',
|
||||||
|
'proxy-connection'
|
||||||
]);
|
]);
|
||||||
|
|
||||||
async function proxy(event: Parameters<RequestHandler>[0]): Promise<Response> {
|
async function proxy(event: Parameters<RequestHandler>[0]): Promise<Response> {
|
||||||
|
|||||||
@@ -167,6 +167,23 @@ describe('catch-all API proxy — forwarding', () => {
|
|||||||
expect(response.headers.get('Content-Disposition')).toBe('attachment; filename="document.pdf"');
|
expect(response.headers.get('Content-Disposition')).toBe('attachment; filename="document.pdf"');
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('does not forward proxy-connection hop-by-hop header', async () => {
|
||||||
|
const mockFetch = vi.fn().mockResolvedValue(
|
||||||
|
new Response('data', {
|
||||||
|
status: 200,
|
||||||
|
headers: {
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
'Proxy-Connection': 'keep-alive'
|
||||||
|
}
|
||||||
|
})
|
||||||
|
);
|
||||||
|
const event = makeEvent('documents', 'GET', mockFetch);
|
||||||
|
|
||||||
|
const response = await GET(event as never);
|
||||||
|
|
||||||
|
expect(response.headers.get('Proxy-Connection')).toBeNull();
|
||||||
|
});
|
||||||
|
|
||||||
it('does not forward hop-by-hop headers like transfer-encoding', async () => {
|
it('does not forward hop-by-hop headers like transfer-encoding', async () => {
|
||||||
const mockFetch = vi.fn().mockResolvedValue(
|
const mockFetch = vi.fn().mockResolvedValue(
|
||||||
new Response('data', {
|
new Response('data', {
|
||||||
|
|||||||
Reference in New Issue
Block a user