fix: deduplicate HEAD entry in 405 response allow header (#14564)

teemingc · web-flow · commit 1fdc8003c600 · 2025-09-30T09:34:54.000+02:00
* deduplicate items in allow header

* changeset

* add test

* clarify comment

* format
diff --git a/.changeset/salty-candles-chew.md b/.changeset/salty-candles-chew.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: avoid including `HEAD` twice when an unhandled HTTP method is used in a request to a `+server` handler that has both a `GET` handler and a `HEAD` handler
diff --git a/packages/kit/src/runtime/server/utils.js b/packages/kit/src/runtime/server/utils.js
@@ -39,7 +39,11 @@ export function method_not_allowed(mod, method) {
 export function allowed_methods(mod) {
 	const allowed = ENDPOINT_METHODS.filter((method) => method in mod);
 
-	if ('GET' in mod || 'HEAD' in mod) allowed.push('HEAD');
+	// if there's no HEAD handler, but we have a GET handler, we respond to
+	// HEAD requests using the GET handler and omit the response body.
+	if ('GET' in mod && !('HEAD' in mod)) {
+		allowed.push('HEAD');
+	}
 
 	return allowed;
 }
diff --git a/packages/kit/test/apps/basics/src/routes/endpoint-output/head-handler/+server.js b/packages/kit/test/apps/basics/src/routes/endpoint-output/head-handler/+server.js
@@ -1,3 +1,10 @@
+// The GET handler is included alongside the HEAD handler to test that HEAD
+// is not included twice in the `allow` header list of allowed methods.
+// This is because HEAD is always allowed if GET is allowed too
+export function GET() {
+	return new Response('Hello world!');
+}
+
 /** @type {import('@sveltejs/kit').RequestHandler} */
 export function HEAD() {
 	return new Response('', {
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -281,6 +281,18 @@ test.describe('Endpoints', () => {
 		expect(allow_header).toMatch(/\bHEAD\b/);
 	});
 
+	test('405 allow header has no duplicate methods listed', async ({ request }) => {
+		const response = await request.post('/endpoint-output/head-handler');
+
+		expect(response.status()).toBe(405);
+
+		const allow_header = response.headers()['allow'];
+		const methods = allow_header.split(',').map((m) => m.trim());
+		const unique_methods = [...new Set(methods)];
+
+		expect(methods).toEqual(unique_methods);
+	});
+
 	// TODO all the remaining tests in this section are really only testing
 	// setResponse, since we're not otherwise changing anything on the response.
 	// might be worth making these unit tests instead

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +fix: avoid including `HEAD` twice when an unhandled HTTP method is used in a request to a `+server` handler that has both a `GET` handler and a `HEAD` handler