fix(api): revert to forwarding cookie header only

[dargmuesli]

🔗 Linked issue

Resolves #3695

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Forwarding all headers can make the fetch request return data with brotli compression which is not expected at the moment. Simple fix is to revert the change to headers used.

I've added an additional change that adds support for Nuxt CSRF protection as provided by the security module which uses the csurf module internally. This was the original reason for allowing more headers. In the future we may add a module option to whitelist a certain set of headers instead, but that's something to discuss in the future. If this feature addition is not wanted, simply remove the second line!

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[vercel]

@dargmuesli is attempting to deploy a commit to the Nuxt Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxt/content@3701

commit: 967dbf3

[coderabbitai]

📝 Walkthrough

Walkthrough

The change updates header construction in src/runtime/internal/api.ts's fetchContent function: it replaces the unconditional spread of ...headers with conditional injection of a cookie header when headers.cookie exists and a CSRF header when both event.context.nitro.runtimeConfig.csurf.headerName and event.context.csrfToken are present. Existing ...options.headers remain included. No other control flow or exported/public declarations were changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: reverting to forward only the cookie header instead of all headers.
Description check	✅ Passed	The PR description is directly related to the changeset, explaining the rationale for reverting header forwarding and noting the addition of CSRF support.
Linked Issues check	✅ Passed	The PR addresses the core issue from #3695 by reverting unconditional header forwarding that caused brotli compression problems in production. The conditional cookie header forwarding restores expected behavior.
Out of Scope Changes check	✅ Passed	All changes are in-scope: the cookie header revert addresses #3695, and the CSRF header support is an additional enhancement explicitly mentioned in the PR description as optional.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/runtime/internal/api.ts`:
- Around line 14-17: The headers construction accesses
event.context.nitro.runtimeConfig.csurf.headerName without guarding intermediate
properties and can throw if csurf or runtimeConfig is missing; update the
condition to use optional chaining for the full chain (e.g., check
event?.context?.nitro?.runtimeConfig?.csurf?.headerName and
event?.context?.csrfToken) before using the computed property, and keep the
existing spread of options.headers and cookie logic so the header is only added
when both the headerName and csrfToken are present.

[farnabaz]

Forwarding all headers can make the fetch request return data with brotli compression which is not expected at the moment.

@dargmuesli Can't we just enforce Accept-Encoding to gzip, deflate or dropping that header? If it's only about brotli, we can simply drop the header!

[obj63mc]

@farnabaz - I have tested simply overwriting the header of Accept-Encoding in the nuxt.config routeRules but when running in production mode, since v3.11.x whenever using server side rendering, the following errors are still always returned. I even tried removing the header completely -

Route Rules:

routeRules:{
		'/__nuxt_content/**':{
			headers: {
				'Accept-Encoding': 'gzip, deflate' // or just '' to remove
			}
		}
}

Errors:

Database integrity check failed TypeError
 code: 'Z_DATA_ERROR',
  [cause]: Error: incorrect header check
...
[request error] [unhandled] [POST] http://localhost:3000/__nuxt_content/{contenttype}/query?v=v3.5.0--xAjoPoXoSfYkJiTVHdgWAiZ4y8fccTFopoR-DtcwS4s
 SqliteError: no such table: _content_...

As a note frontend once the page is loaded and navigating nuxt content works as expected but SSR is still broken

[farnabaz]

@obj63mc Could you try to monkey patch in node modules and test?