Skip to content

fix(cors): preserve existing Vary header from response#4479

Closed
Higangssh wants to merge 1 commit intohonojs:mainfrom
Higangssh:fix/cors-vary-header-preservation
Closed

fix(cors): preserve existing Vary header from response#4479
Higangssh wants to merge 1 commit intohonojs:mainfrom
Higangssh:fix/cors-vary-header-preservation

Conversation

@Higangssh
Copy link

@Higangssh Higangssh commented Oct 24, 2025

Summary

Fixes #4471

The CORS middleware was incorrectly reading the Vary header from the request instead of the response, causing it to overwrite any Vary headers set by the application.

Problem

When a controller sets a Vary header (e.g., Vary: Accept), the CORS middleware would overwrite it because:

  1. It was checking c.req.header('Vary') (request header)
  2. Clients don't send Vary headers (it's a response-only header)
  3. This caused the middleware to always set Vary: Origin without preserving existing values

Solution

  • Move Vary header handling to after await next() for non-OPTIONS requests
  • Read existing Vary header from c.res.headers instead of c.req.header
  • Preserve existing Vary values and append 'Origin' if not already present
  • Handle OPTIONS requests separately before early return

Changes

  • src/middleware/cors/index.ts: Fixed Vary header logic
  • src/middleware/cors/index.test.ts: Added test case to verify preservation

Testing

  • All 13 CORS middleware tests pass
  • New test Should preserve existing Vary header from response added
  • Full test suite runs successfully (2000+ tests)
  • No side effects on other functionality

@Higangssh
fix(cors): preserve existing Vary header from response
ce40a76 
The CORS middleware was incorrectly reading the Vary header from the
request instead of the response, causing it to overwrite any Vary
headers set by the application.

Changes:
- Move Vary header handling to after await next() for non-OPTIONS requests
- Read existing Vary header from response instead of request
- Preserve and append 'Origin' to existing Vary values
- Add test case to verify Vary header preservation

Fixes honojs#4471
@Higangssh Higangssh mentioned this pull request Oct 24, 2025
Closed
@codecov
Copy link

codecov bot commented Oct 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.30%. Comparing base (5216117) to head (ce40a76).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4479   +/-   ##
=======================================
  Coverage   91.30%   91.30%           
=======================================
  Files         173      173           
  Lines       11190    11195    +5     
  Branches     3228     3230    +2     
=======================================
+ Hits        10217    10222    +5     
  Misses        972      972           
  Partials        1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Higangssh Higangssh closed this Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

'Vary' response header is overwritten when using CORS middleware unless provided in request headers

1 participant

@Higangssh