From dff966d0fe22618e93893c1f422807a018e75085 Mon Sep 17 00:00:00 2001
From: Andrew Chou <andrewchou@fastmail.com>
Date: Mon, 5 Feb 2024 13:44:28 -0500
Subject: [PATCH] switch to allow-list when forwarding headers

---
 src/fastify-plugins/maps/index.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/fastify-plugins/maps/index.js b/src/fastify-plugins/maps/index.js
index f3f5ee6c..4f721e1a 100644
--- a/src/fastify-plugins/maps/index.js
+++ b/src/fastify-plugins/maps/index.js
@@ -110,11 +110,15 @@ async function routes(fastify, opts) {
 
           if (upstreamResponse.ok) {
             // Set up headers to forward
-            // TODO: Change this to an allow-list of headers instead of a block-list
             for (const [name, value] of upstreamResponse.headers) {
-              // We do our own content encoding
-              if (name.toLowerCase() === 'content-encoding') continue
-              rep.header(name, value)
+              // Only forward headers related to caching
+              // https://www.rfc-editor.org/rfc/rfc9111#name-field-definitions
+              // e.g. usage from map renderer: https://github.com/maplibre/maplibre-gl-js/blob/26a7a6c2c142ef2e26db89f5fdf2338769494902/src/util/ajax.ts#L205
+              if (
+                ['age', 'cache-control', 'expires'].includes(name.toLowerCase())
+              ) {
+                rep.header(name, value)
+              }
             }
             // Some upstream providers will not set the 'application/json' content-type header despite the body being JSON e.g. Protomaps
             // TODO: Should we forward the upstream 'content-type' header?