Conversation
Replace catch-all route with explicit route handlers for each endpoint. Remove in-memory cache and stale-while-error logic in favor of direct proxy pass-through. Add typed Context and ContentfulStatusCode imports. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/4rxSgfqf_8e03QyKF2z9P75vink8hZ2eN_MRVyURJa4
Set Vercel-CDN-Cache-Control to cache responses at the edge for 60s, serve stale while revalidating for 1 hour, and serve stale on error for 1 day. Browser always revalidates with the CDN via Cache-Control public, max-age=0, must-revalidate. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/a5cSzprm1SagVeTqTLisTP11Tlat8d9yjFAPBn4jc-Q
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Vercel's CDN caches non-200 responses when cache headers are present. This caused 404s from upstream to be cached at the edge, delaying access to newly available resources. Co-Authored-By: Claude <noreply@anthropic.com> Agent transcript: https://claudescope.sentry.dev/share/jYGJnrx7n6sHPFnlv-7WZMp27WUdStyc0RflubaFWwY
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| app.get("/skills/*", (c) => { | ||
| const url = new URL(c.req.url); | ||
| const canonicalPath = c.req.path.slice("/skills".length) || "/"; | ||
| return c.redirect(`${canonicalPath}${url.search}`, 301); |
There was a problem hiding this comment.
Open redirect via double-slash in /skills/* redirect
Medium Severity
The /skills/* handler computes canonicalPath by slicing the raw request path and uses it directly in c.redirect(). Hono does not normalize double slashes in paths (confirmed by honojs/hono#3034), so a request to /skills//evil.com produces canonicalPath of //evil.com. A redirect to //evil.com is interpreted by browsers as a protocol-relative URL, redirecting the user to evil.com. The canonicalPath value needs validation to prevent it from starting with //.
There was a problem hiding this comment.
Addressing this in a follow-up
1 participant
Summary
Vercel-CDN-Cache-Controlheader: cache at edge for 60s, stale-while-revalidate for 1h, stale-if-error for 1 dayCache-Control: public, max-age=0, must-revalidateso browsers always revalidate with the CDNTest plan
x-vercel-cacheheader showsHITon repeated requests🤖 Generated with Claude Code
Agent transcript: https://claudescope.sentry.dev/share/w2TRhRncfsUWMEYQWt2e_fhCViqsFvH-APGEwffKWRM