HTTP HEAD request returns 403

[fhennig]

Astro Info

Astro                    v5.1.10
Node                     v23.4.0
System                   macOS (arm64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

When using SSR and the standalone server in node, a HEAD request will return a 403 response.

What's the expected result?

A 200 response.

Link to Minimal Reproducible Example

https://github.com/fhennig/astro-head-403

Participation

• I am willing to submit a pull request for this issue.

---

In addition to the linked example, you can reproduce with the following steps:

• Create an astro app: npm create astro@latest
• Install the node plugin: npm i @astrojs/node
• Configure SSR:

import { defineConfig } from 'astro/config';
import node from '@astrojs/node'; // or another adapter

export default defineConfig({
  output: 'server', // Enable SSR
  adapter: node({ mode: 'standalone' }),
});

• Build: npm run build
• serve: node ./dist/server/entry.mjs
• do a head reaquest: curl --head http://localhost:4321

We noticed this because some uptime checkers do HEAD requests and showed our site as being down.

[corneliusroemer]

We first encountered this with Astro v5 on 2 projects using Astro.

Note: The bug does not surface when you do a npm run dev - one needs to build and serve the production version.

When bisecting in the loculus-project/loculus codebase, astro v4.16.17 was still working fine and v5.0.2 was bad.

Specific versions that made it bad:

@astrojs/node: 8.3.4 -> 9.0.0
astro: 4.16.17 -> 5.0.2
@astrojs/react: 3.6.3 -> 4.0.0

[corneliusroemer]

I can reproduce within the astro code base using example/ssr and the following commands:

pnpm i
pnpm build
pnpm --filter @example/ssr i
pnpm --filter @example/ssr build
pnpm --filter @example/ssr preview &
curl -I http://localhost:4321

Bisecting yields the following as the first bad commit: #12588

[joshmkennedy]

I believe this is the line of code that is causing the issue

const sameOrigin =
			(request.method === 'POST' ||
				request.method === 'PUT' ||
				request.method === 'PATCH' ||
				request.method === 'DELETE') &&
			request.headers.get('origin') === url.origin;

request.method === 'HEAD' should be added to this list

[joshmkennedy]

Actually, I was wrong.

This fixes it, which is the line above what I pasted mentioned.

	if (request.method === 'GET' || request.method === "HEAD") {
	return next();
	}

I submitted a pull request here #13100 with the fix

[corneliusroemer]

Good spot @joshmkennedy! The bug was introduced in 315c5f3#diff-aeb15293e9b48a0df451f282702d3145060faecc40e2360faf3d9b059c862f1f where forbidden methods (POST, PATCH, DELETE,...) were wrongly inverted to just GET (omitting HEAD)