fix: prevent duplicate Location and x-nextjs-stale-time headers on redirect

claygeo · claygeo · commit 7adeb8eb241d · 2026-03-28T13:37:15.000-04:00
When a page redirect is rendered, the render phase sets Location via setHeader on the response. Then the cache serving code in app-page.ts re-applies cached headers using the native appendHeader, which appends unconditionally without checking for existing values. This produces duplicate Location headers (e.g. Location: /redirect, Location: /redirect). Behind Cloudflare or similar proxies, duplicated Location headers get merged into "Location: /redirect, /redirect" which is an invalid redirect target, breaking navigation entirely. Use setHeader (replace) instead of appendHeader (add) for headers that don't support multiple values. Keep appendHeader for set-cookie, vary, www-authenticate, and proxy-authenticate which are multi-value by spec. Fixes #82117
diff --git a/packages/next/src/build/templates/app-page.ts b/packages/next/src/build/templates/app-page.ts
@@ -1608,18 +1608,39 @@ export async function handler(
           delete headers[NEXT_CACHE_TAGS_HEADER]
         }
 
+        // Headers that support multiple values must use appendHeader;
+        // all others use setHeader to avoid duplicates when the render
+        // phase already set the same header (e.g. Location) (#82117).
+        const multiValueHeaders = new Set([
+          'set-cookie',
+          'www-authenticate',
+          'proxy-authenticate',
+          'vary',
+        ])
+
         for (let [key, value] of Object.entries(headers)) {
           if (typeof value === 'undefined') continue
 
+          const useAppend =
+            Array.isArray(value) || multiValueHeaders.has(key.toLowerCase())
+
           if (Array.isArray(value)) {
             for (const v of value) {
               res.appendHeader(key, v)
             }
           } else if (typeof value === 'number') {
             value = value.toString()
-            res.appendHeader(key, value)
+            if (useAppend) {
+              res.appendHeader(key, value)
+            } else {
+              res.setHeader(key, value)
+            }
           } else {
-            res.appendHeader(key, value)
+            if (useAppend) {
+              res.appendHeader(key, value)
+            } else {
+              res.setHeader(key, value)
+            }
           }
         }
       }
