fix(api): revert to forwarding cookie header only

[dargmuesli]

🔗 Linked issue

Resolves #3695

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Forwarding all headers can make the fetch request return data with brotli compression which is not expected at the moment. Simple fix is to revert the change to headers used.

I've added an additional change that adds support for Nuxt CSRF protection as provided by the security module which uses the csurf module internally. This was the original reason for allowing more headers. In the future we may add a module option to whitelist a certain set of headers instead, but that's something to discuss in the future. If this feature addition is not wanted, simply remove the second line!

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[vercel]

@dargmuesli is attempting to deploy a commit to the Nuxt Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxt/content@3701

commit: 2e9ebfb

[coderabbitai]

Warning

Rate limit exceeded

@dargmuesli has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

The change updates header construction in src/runtime/internal/api.ts's fetchContent function: it now conditionally injects a cookie header when headers.cookie exists and a CSRF header using the dynamic name from event.context.nitro.runtimeConfig.csurf.headerName when that name and event.context.csrfToken are present. These are applied instead of an unconditional spread of ...headers, while still including ...options.headers. No other control flow changes were made.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: reverting header forwarding to only the cookie header, which is the primary fix addressing the brotli compression issue.
Description check	✅ Passed	The description clearly explains the rationale for the change, links to issue #3695, and mentions the additional CSRF protection feature alongside the main fix.
Linked Issues check	✅ Passed	The code change restricts header forwarding to only the cookie header in fetchContent, directly addressing issue #3695 where forwarding all headers caused brotli compression issues affecting SQLite queries.
Out of Scope Changes check	✅ Passed	The changes are limited to the header construction in fetchContent. While CSRF support is an enhancement beyond the stated fix, it is a minimal addition mentioned as optional in the description.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/runtime/internal/api.ts`:
- Around line 14-17: The headers construction accesses
event.context.nitro.runtimeConfig.csurf.headerName without guarding intermediate
properties and can throw if csurf or runtimeConfig is missing; update the
condition to use optional chaining for the full chain (e.g., check
event?.context?.nitro?.runtimeConfig?.csurf?.headerName and
event?.context?.csrfToken) before using the computed property, and keep the
existing spread of options.headers and cookie logic so the header is only added
when both the headerName and csrfToken are present.