Added vary headers

PostHog · Dec 13, 2024 · 17bc8bd · 17bc8bd
1 parent f135d17
commit 17bc8bd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/posthog/api/remote_config.py b/posthog/api/remote_config.py
@@ -5,6 +5,14 @@
 from posthog.models.remote_config import RemoteConfig
 
 
+def add_vary_headers(response):
+    """
+    Add Vary headers for Origin and Referer to responses.
+    """
+    response["Vary"] = "Origin, Referer"
+    return response
+
+
 class BaseRemoteConfigAPIView(APIView):
     """
     Base class for RemoteConfig API views.
@@ -27,7 +35,7 @@ def get(self, request, token: str, *args, **kwargs):
         except RemoteConfig.DoesNotExist:
             raise Http404()
 
-        return JsonResponse(resource)
+        return add_vary_headers(JsonResponse(resource))
 
 
 class RemoteConfigJSAPIView(BaseRemoteConfigAPIView):
@@ -37,7 +45,7 @@ def get(self, request, token: str, *args, **kwargs):
         except RemoteConfig.DoesNotExist:
             raise Http404()
 
-        return HttpResponse(script_content, content_type="application/javascript")
+        return add_vary_headers(HttpResponse(script_content, content_type="application/javascript"))
 
 
 class RemoteConfigArrayJSAPIView(BaseRemoteConfigAPIView):
@@ -47,4 +55,4 @@ def get(self, request, token: str, *args, **kwargs):
         except RemoteConfig.DoesNotExist:
             raise Http404()
 
-        return HttpResponse(script_content, content_type="application/javascript")
+        return add_vary_headers(HttpResponse(script_content, content_type="application/javascript"))
diff --git a/posthog/api/test/test_remote_config.py b/posthog/api/test/test_remote_config.py
@@ -77,6 +77,12 @@ def test_valid_config(self):
             }
         )
 
+    def test_vary_header_response(self):
+        response = self.client.get(f"/array/{self.team.api_token}/config", HTTP_ORIGIN="https://foo.example.com")
+        assert response.status_code == status.HTTP_200_OK, response.json()
+        assert "Origin" in response.headers["Vary"]
+        assert "Referer" in response.headers["Vary"]
+
     def test_different_response_for_other_domains(self):
         # Not sure why but there is sometimes one extra query here
         with self.assertNumQueries(FuzzyInt(CONFIG_REFRESH_QUERY_COUNT, CONFIG_REFRESH_QUERY_COUNT + 1)):