From 3dcbfe2e4d7acdc3dabe900eb12c44f5f54d7906 Mon Sep 17 00:00:00 2001
From: Kot <kot@yukata.tech>
Date: Wed, 15 Mar 2023 18:25:46 -0700
Subject: [PATCH] Add `Vary` headers in responses (#536)

* Add `Vary` headers in responses

* Add `Referer` to file handler `Vary`

* Fix Vary value for routes
---
 server/handlers.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/handlers.go b/server/handlers.go
index be4e9a6b..a5cccb5c 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -245,6 +245,8 @@ func canContainsXSS(contentType string) bool {
 
 /* The preview handler will show a preview of the content for browsers (accept type text/html), and referer is not transfer.sh */
 func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
+
 	vars := mux.Vars(r)
 
 	token := vars["token"]
@@ -397,6 +399,7 @@ func (s *Server) viewHandler(w http.ResponseWriter, r *http.Request) {
 		token(s.randomTokenLength),
 	}
 
+	w.Header().Set("Vary", "Accept")
 	if acceptsHTML(r.Header) {
 		if err := htmlTemplates.ExecuteTemplate(w, "index.html", data); err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -1157,6 +1160,7 @@ func (s *Server) headHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Connection", "close")
 	w.Header().Set("X-Remaining-Downloads", remainingDownloads)
 	w.Header().Set("X-Remaining-Days", remainingDays)
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
 
 	if s.storage.IsRangeSupported() {
 		w.Header().Set("Accept-Ranges", "bytes")
@@ -1250,6 +1254,7 @@ func (s *Server) getHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", contentType)
 	w.Header().Set("Content-Length", strconv.FormatUint(contentLength, 10))
+	w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")
 
 	if _, err = io.Copy(w, decryptionReader); err != nil {
 		s.logger.Printf("%s", err.Error())
-- 
GitLab