From 9aed8f08cd599114515300acd03544b6a6d222d8 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Sat, 18 Apr 2026 08:55:21 +0000
Subject: fix(cdn): preserve upstream headers alongside CORS and cache
 overrides

The response was built with `{ "Cache-Control": ..., "Access-Control-
Allow-Origin": ..., ...response.headers }`. Spreading a Headers
instance into a plain object does not expand into own properties, so
upstream headers (including Content-Type) were dropped on the floor.

Build a Headers copy of the upstream response and .set() the overrides
on it, so Content-Type and friends survive alongside the locked-down
CORS origin and long cache policy.
---
 apps/cdn/index.ts | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/apps/cdn/index.ts b/apps/cdn/index.ts
index e0d63db5..63b6e798 100644
--- a/apps/cdn/index.ts
+++ b/apps/cdn/index.ts
@@ -99,14 +99,16 @@ const handleRequest = async (originalRequest) => {
 	//   );
 	// }
 
+	const responseHeaders = new Headers(response.headers);
+	responseHeaders.set(
+		"Cache-Control",
+		"public, immutable, s-maxage=31536000, max-age=31536000, stale-while-revalidate=60",
+	);
+	responseHeaders.set("Access-Control-Allow-Origin", "https://due.moe");
+
 	return new Response(response.body, {
 		status: response.status,
 		statusText: response.statusText,
-		headers: {
-			"Cache-Control":
-				"public, immutable, s-maxage=31536000, max-age=31536000, stale-while-revalidate=60",
-			"Access-Control-Allow-Origin": "https://due.moe",
-			...response.headers,
-		},
+		headers: responseHeaders,
 	});
 };
-- 
cgit v1.2.3