Fix Cloudflare stripping Content-Length on HEAD requests for text/plain#134
Merged
Merged
Conversation
…ontent-Length on HEAD requests
RayPlante
approved these changes
Apr 14, 2026
RayPlante
left a comment
Collaborator
There was a problem hiding this comment.
We've since determined that the Cache-Control header was not ultimately the cause of the problem that motivated this change, this PR works as intended, and it makes sense to make the header fully complete. Will merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After Cloudflare was added in front of
data.nist.gov, HEAD requests for.txtfiles are missing theContent-Lengthheader. Clients that rely on this header to determine file size get no value.This returns 200 OK but Content-Length is missing
Other file types (e.g.
.csv) seem to be unaffected.Query Results
curl -Ireturns but no Content-Length;curl -X HEADhangsNote:
curl -I(the proper HEAD) returns immediately because it knows not to expect a body.curl -X HEADoverrides the method but curl still internally waits for a body, withoutContent-Lengthit doesn't know to stop, so it hangs until the connection times out.Root Cause
Based on a Cloudflare community discussion where users reported the same behavior, my guess is that Cloudflare compresses
text/plainresponses on the fly. When it does, it stripsContent-Lengthbecause the compressed size is unknown at the time headers are sent. For GET requests this is fine, Cloudflare usesTransfer-Encoding: chunkedinstead. For HEAD requests (no body), there is nothing to chunk, soContent-Lengthjust disappears.A Cloudflare representative said:
And then said:
So based on that, the
no-transformdirective should come from the origin response, and setting it via Cloudflare Transform Rules or at the CDN layer has no effect.Fix
I added
Cache-Control: no-transformto the origin response via Spring Security's header configuration inCacheSecurityConfig.java. This disables Spring Security's defaultCache-Controlheader and replaces it with one that includesno-transform, which will tell Cloudflare not to compress the response.Why in CacheSecurityConfig and not in the controller
Another option is to add the header manually in the HEAD handler (
DatasetAccessController.downloadFileInfo()). But placing it in the security config:Duplicate Cache-Control headers
The response currently shows two
Cache-Controlheaders:The nginx reverse proxy does not add any
Cache-Controlfor the/od/ds/block, so it is not affect the cache-control directives.The first comes from Spring Security's defaults (no
no-transform), and I am assuming the second comes from Cloudflare itself, but Cloudflare only checks the origin's headers when deciding whether to compress, not its own additions. This fix replaces the first line with a version that includesno-transform, so the origin explicitly signals no compression.Changes
CacheSecurityConfig.java: I disabled Spring Security's defaultCache-Controland added a custom one withno-transformDatasetAccessControllerTest.java: I added test assertions that HEAD responses includeContent-LengthandCache-Control: no-transformTest
All
DatasetAccessControllerTesttests pass, including the new assertions.Verification
This needs to be deployed to production, and run the curl commands again:
Without access to the Cloudflare config, I can't confirm exactly how it is configured or what is stripping the header. This fix is a best-effort attempt based on community discussions. If
Content-Lengthis still missing after deploy, we should check the Cloudflare config.