fix(api): do not forward accept encoding header

[dargmuesli]

🔗 Linked issue

Resolves #3695

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Forwarding all headers the Accept-Encoding header can make the fetch request return data with brotli compression which is not expected at the moment. Simple fix is to revert the change to headers used.

I've added an additional change that adds support for Nuxt CSRF protection as provided by the security module which uses the csurf module internally. This was the original reason for allowing more headers. In the future we may add a module option to whitelist a certain set of headers instead, but that's something to discuss in the future. If this feature addition is not wanted, simply remove the second line!

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[vercel]

@dargmuesli is attempting to deploy a commit to the Nuxt Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxt/content@3701

commit: d44d5cd

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

A single-line change in src/runtime/internal/api.ts's fetchContent sets headers['accept-encoding'] = undefined after header composition to prevent sending an unsupported encoding header. No other control flow, exported/public declarations, or header merging logic were modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(api): do not forward accept encoding header' accurately describes the main change of preventing Accept-Encoding header forwarding to fix the brotli compression issue.
Description check	✅ Passed	The description is related to the changeset, explaining that forwarding all headers causes brotli-compressed responses and referencing the linked issue #3695.
Linked Issues check	✅ Passed	The code change directly addresses the root cause identified in issue #3695: preventing brotli compression by not forwarding the Accept-Encoding header, which aligns with the solution proposed in linked issue discussions.
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to setting headers['accept-encoding'] = undefined in the fetchContent function, directly addressing the compression issue without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/runtime/internal/api.ts`:
- Around line 14-17: The headers construction accesses
event.context.nitro.runtimeConfig.csurf.headerName without guarding intermediate
properties and can throw if csurf or runtimeConfig is missing; update the
condition to use optional chaining for the full chain (e.g., check
event?.context?.nitro?.runtimeConfig?.csurf?.headerName and
event?.context?.csrfToken) before using the computed property, and keep the
existing spread of options.headers and cookie logic so the header is only added
when both the headerName and csrfToken are present.

[farnabaz]

Forwarding all headers can make the fetch request return data with brotli compression which is not expected at the moment.

@dargmuesli Can't we just enforce Accept-Encoding to gzip, deflate or dropping that header? If it's only about brotli, we can simply drop the header!

[obj63mc]

@farnabaz - I have tested simply overwriting the header of Accept-Encoding in the nuxt.config routeRules but when running in production mode, since v3.11.x whenever using server side rendering, the following errors are still always returned. I even tried removing the header completely -

Route Rules:

routeRules:{
		'/__nuxt_content/**':{
			headers: {
				'Accept-Encoding': 'gzip, deflate' // or just '' to remove
			}
		}
}

Errors:

Database integrity check failed TypeError
 code: 'Z_DATA_ERROR',
  [cause]: Error: incorrect header check
...
[request error] [unhandled] [POST] http://localhost:3000/__nuxt_content/{contenttype}/query?v=v3.5.0--xAjoPoXoSfYkJiTVHdgWAiZ4y8fccTFopoR-DtcwS4s
 SqliteError: no such table: _content_...

As a note frontend once the page is loaded and navigating nuxt content works as expected but SSR is still broken

[farnabaz]

@obj63mc Could you try to monkey patch in node modules and test?

[obj63mc]

So testing this - as the code is set in v3.11.x - when passing all headers the following are passed -

 accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'accept-encoding': 'gzip, deflate, br, zstd'

Using the fix in this PR and only passing cookie header the headers are

accept: 'application/json'

If I hard code to delete the accept-encoding header just after the creation of the fetchOptions runtime/internal/api.js with -

delete(fetchOptions.headers['accept-encoding']);

then this functions as it should.

I also tried just overwriting the header in the nuxt.config routeRules but that would not work and is being ignored.
So my recommendation is if you simply want to pass all headers we either need to manually remove the accept-encoding header or set it to something that will work like -

'accept-encoding': '*'

[dargmuesli]

I'm currently testing another fix related to compression, will update you when I got the results and check the solution proposed above too of course.

[tux2nicolae]

Are there any workarounds until a proper fix is made?

[obj63mc]

I currently have not found a way to work around this other than to run version 3.10 or by editing the internal/api.js file manually in node modules.

[dargmuesli]

You can pnpm patch dependencies, I'm sure there is similar functionality for other package managers. See my patch here: https://github.com/maevsi/vibetype/blob/372ce28eacbb646bdbaa2135cdfbb827eae72baf/patches/%40nuxt__content.patch

[farnabaz]

csurf header here is an internal logic of csurl module and I believe it should not be used here.

As @obj63mc tested here we can remove accept-encoding from headers or set it to undefined

headers: {
      ...headers,
      'accept-encoding': undefined,
...

This way we will keep all other headers like csurf

[danielwaltz]

Just FYI for anyone here who needs it before this gets resolved, as a possible workaround you can also disable the nitro.compressPublicAssets option if you have it enabled.

Of course this means that all compression will be disabled in production for you, so I'd only recommend this workaround if you have a low traffic site!