Skip to content

return status(307) silently returns body with content #1715

New issue
New issue
Open
Open
return status(307) silently returns body with content#1715
Labels
bugSomething isn't working
@nico-amsterdam

Description

@nico-amsterdam
nico-amsterdam
opened on Feb 1, 2026

What version of Elysia is running?

[email protected]

What platform is your computer?

Linux 6.6.87.2-microsoft-standard-WSL2 x86_64 x86_64

What environment are you using

bun 1.3.8

Are you using dynamic mode?

yes

What steps can reproduce the bug?

First of all: great framework, really enjoying it.

In the example below I use aot:false and I use status instead of redirect.
In the Additional Information I explain why.

Run the following code in the bun runtime:

import { Elysia } from 'elysia'

export default {
  async fetch(request: Request) {
    const resp = await new Elysia({ aot: false })
      .get('/auth/login', ({ }) => new Response('ok'))
      .onBeforeHandle(({ set }) => {
        console.log('onBeforeHandle CSP')
        set.headers['Content-Security-Policy'] = "default-src 'self';"
      })
      .onBeforeHandle(({ set, status, redirect }) => {
        set.headers['Location'] = '/auth/login'
        console.log('onBeforeHandle redirect')

        // This works great
        // return new Response('', { status: 307 })

        // This also works
        // set.status = 307
        // return ''

        // what I did (simular to https://elysiajs.com/tutorial/getting-started/encapsulation/)
        return status(307)
      })
      .get(
        '/dashboard',
        async () => {
          console.log('/dashboard is also running')
          return new Response('really sensitive information')
        }
      )
      .handle(request)

    return resp
  }
}

What is the expected behavior?

status 307 is returned with location /auth/login and body is empty.

console.log does not contain /dashboard is also running

What do you see instead?

status 307 is returned with locatin /auth/login and body contains really sensitive information

console.log does contain /dashboard is also running

This is worrying, because you don't notice this behavior when using a browser.
The browser will following the redirect to '/auth/login'.
However in the browsers devtools network-tab or when using a curl command like this
curl -i http://localhost:300/dashboard
the 'really sensitive information' is revealed.

Additional information

The status code is significant. This behavior occurs with status codes 205,307,308
but not with 401 or 418. Might be related to the fix of issue/1304

When using aot:true , you do get a proper error at runtime:
error: Expected a Response object, but received 'undefined'

I use Cloudflare's Miniflare via wrangler (I use wrangler version 4.61.1).
Miniflare runs on node (I have version v24.13.0), and it emulates the Cloudflare worker runtime.
To test with Miniflare, add a wrangler.jsonc file like this:

   {
        "$schema": "node_modules/wrangler/config-schema.json",
        "name": "bug-report",
        "main": "src/index.ts",
        "compatibility_date": "2026-01-28",
        "compatibility_flags": [
                "nodejs_compat"
        ]
  }

run:
bun add -D wrangler
bun wrangler dev
test functionality:
curl -i http://localhost:8787/dashboard

I run the code with aot:false, because with aot:true I get this error at runtime when I use Miniflare:

EvalError: Code generation from strings disallowed for this context
    at [object Object]
    at composeErrorHandler (file:///home/naomi/bunny/bunserver/bug-report/node_modules/elysia/dist/compose.mjs:1301:10)
    at composeGeneralHandler (file:///home/naomi/bunny/bunserver/bug-report/node_modules/elysia/dist/compose.mjs:1172:23)
    at get fetch (file:///home/naomi/bunny/bunserver/bug-report/node_modules/elysia/dist/index.mjs:1865:37)
    at _Elysia.handle (file:///home/naomi/bunny/bunserver/bug-report/node_modules/elysia/dist/index.mjs:151:43)
    at Object.fetch (file:///home/naomi/bunny/bunserver/bug-report/src/index.ts:61:8)

I set header Location and use return status(307) instead of return redirect('http://localhost:8787/auth/login', 307), because in Miniflare I get this runtime error when using redirect:

TypeError: Can't modify immutable headers.
at null.<anonymous> (file:///home/bun/bug-report/node_modules/elysia/dist/adapter/utils.mjs:191:59)
at mapResponse (file:///home/bun/bug-report/node_modules/elysia/dist/adapter/web-standard/handler.mjs:42:16)
at null.<anonymous> (file:///home/bun/bug-report/node_modules/elysia/dist/dynamic-handle.mjs:407:14)
at _Elysia.handleError (file:///home/bun/bug-report/node_modules/elysia/dist/index.mjs:152:146)
at _Elysia.<anonymous> (file:///home/bun/bug-report/node_modules/elysia/dist/dynamic-handle.mjs:369:18)

If I remove the onBeforeHandle that set's the CSP, the redirect does work in Miniflare.

Have you try removing the node_modules and bun.lockb and try again yet?

yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions