From 517d85b488a688fedb0e9f9b473dddf0b11e2bb7 Mon Sep 17 00:00:00 2001 From: guitavano Date: Wed, 1 Jul 2026 14:29:35 -0300 Subject: [PATCH] fix(vnda): filter proxy cookies to prevent RequestHeaderSectionTooLarge Add allowedCookies option to proxy handler and configure VNDA proxy to only forward VNDA-relevant cookies (vnda_cart_id, cart_id, ahoy_visit, ahoy_visitor), stripping analytics/tracking cookies that inflate headers beyond the 8KB limit. Co-Authored-By: Claude Opus 4.6 --- vnda/loaders/proxy.ts | 8 ++++++++ website/handlers/proxy.ts | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/vnda/loaders/proxy.ts b/vnda/loaders/proxy.ts index 20e6a0606..83b9de613 100644 --- a/vnda/loaders/proxy.ts +++ b/vnda/loaders/proxy.ts @@ -38,6 +38,12 @@ const API_PATHS = [ const decoSiteMapUrl = "/sitemap/deco.xml"; const VNDA_HOST_HEADER = "X-Shop-Host"; +const VNDA_ALLOWED_COOKIES = [ + "vnda_cart_id", + "cart_id", + "ahoy_visit", + "ahoy_visitor", +]; export interface Props { /** @description ex: /p/fale-conosco */ pagesToProxy?: string[]; @@ -100,6 +106,7 @@ function loader( : internalDomain, host: url.hostname, customHeaders, + allowedCookies: VNDA_ALLOWED_COOKIES, }, }, })); @@ -123,6 +130,7 @@ function loader( url: `https://api.vnda.com.br/`, host: url.hostname, customHeaders, + allowedCookies: VNDA_ALLOWED_COOKIES, }, }, })); diff --git a/website/handlers/proxy.ts b/website/handlers/proxy.ts index 6b659e3c8..278d40f1b 100644 --- a/website/handlers/proxy.ts +++ b/website/handlers/proxy.ts @@ -24,6 +24,23 @@ export const removeCFHeaders = (headers: Headers) => { } }); }; +export const filterCookies = (headers: Headers, allowed: string[]) => { + const cookie = headers.get("cookie"); + if (!cookie) return; + const filtered = cookie + .split(";") + .map((c) => c.trim()) + .filter((c) => { + const name = c.split("=")[0]?.trim(); + return name && allowed.includes(name); + }) + .join("; "); + if (filtered) { + headers.set("cookie", filtered); + } else { + headers.delete("cookie"); + } +}; /** * @title {{{key}}} - {{{value}}} */ @@ -86,6 +103,10 @@ export interface Props { removeDirtyCookies?: boolean; excludeHeaders?: string[]; pathsThatRequireSameReferer?: string[]; + /** + * @description Only forward cookies whose names match this list. When set, all other cookies are stripped from the proxied request. + */ + allowedCookies?: string[]; } /** * @title Proxy @@ -104,6 +125,7 @@ export default function Proxy({ replaces, removeDirtyCookies = false, pathsThatRequireSameReferer = [], + allowedCookies, }: Props): Handler { return async (req, _ctx) => { const url = new URL(req.url); @@ -127,6 +149,9 @@ export default function Proxy({ if (removeDirtyCookies) { removeDirtyCookiesFn(headers); } + if (allowedCookies && allowedCookies.length > 0) { + filterCookies(headers, allowedCookies); + } if (isFreshCtx(_ctx)) { _ctx?.state?.monitoring?.logger?.log?.("proxy sent headers", headers); }