fix(@angular/ssr): support custom headers in redirect responses

Updates createRedirectResponse to accept an optional Record<string, string> of headers, allowing custom headers to be merged into the redirect response. The Location and Vary: X-Forwarded-Prefix headers are automatically set to ensure correct routing and proxy behavior.

AngularServerApp now passes relevant headers from the matched route or response context when creating a redirect.

Author: alan-agius4

packages/angular/ssr/src/app.ts

@@ -25,6 +25,7 @@ import { InlineCriticalCssProcessor } from './utils/inline-critical-css';
 import { LRUCache } from './utils/lru-cache';
 import { AngularBootstrap, renderAngular } from './utils/ng';
 import { promiseWithAbort } from './utils/promise';
+import { createRedirectResponse } from './utils/redirect';
 import { buildPathWithParams, joinUrlParts, stripLeadingSlash } from './utils/url';
 
 /**
@@ -174,7 +175,7 @@ export class AngularServerApp {
       return null;
     }
 
-    const { redirectTo, status, renderMode } = matchedRoute;
+    const { redirectTo, status, renderMode, headers } = matchedRoute;
 
     if (redirectTo !== undefined) {
       return createRedirectResponse(
@@ -183,6 +184,7 @@ export class AngularServerApp {
           buildPathWithParams(redirectTo, url.pathname),
         ),
         status,
+        headers,
       );
     }
 
@@ -336,7 +338,7 @@ export class AngularServerApp {
     }
 
     if (result.redirectTo) {
-      return createRedirectResponse(result.redirectTo, status);
+      return createRedirectResponse(result.redirectTo, responseInit.status, headers);
     }
 
     if (renderMode === RenderMode.Prerender) {
@@ -552,20 +554,3 @@ function appendPreloadHintsToHtml(html: string, preload: readonly string[]): str
     html.slice(bodyCloseIdx),
   ].join('\n');
 }
-
-/**
- * Creates an HTTP redirect response with a specified location and status code.
- *
- * @param location - The URL to which the response should redirect.
- * @param status - The HTTP status code for the redirection. Defaults to 302 (Found).
- *                 See: https://developer.mozilla.org/en-US/docs/Web/API/Response/redirect_static#status
- * @returns A `Response` object representing the HTTP redirect.
- */
-function createRedirectResponse(location: string, status = 302): Response {
-  return new Response(null, {
-    status,
-    headers: {
-      'Location': location,
-    },
-  });
-}

packages/angular/ssr/src/utils/redirect.ts

@@ -0,0 +1,66 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+/**
+ * An set of HTTP status codes that are considered valid for redirect responses.
+ */
+export const VALID_REDIRECT_RESPONSE_CODES: Set<number> = new Set([301, 302, 303, 307, 308]);
+
+/**
+ * Checks if the given HTTP status code is a valid redirect response code.
+ *
+ * @param code The HTTP status code to check.
+ * @returns `true` if the code is a valid redirect response code, `false` otherwise.
+ */
+export function isValidRedirectResponseCode(code: number): boolean {
+  return VALID_REDIRECT_RESPONSE_CODES.has(code);
+}
+
+/**
+ * Creates an HTTP redirect response with a specified location and status code.
+ *
+ * @param location - The URL to which the response should redirect.
+ * @param status - The HTTP status code for the redirection. Defaults to 302 (Found).
+ *                 See: https://developer.mozilla.org/en-US/docs/Web/API/Response/redirect_static#status
+ * @param headers - Additional headers to include in the response.
+ * @returns A `Response` object representing the HTTP redirect.
+ */
+export function createRedirectResponse(
+  location: string,
+  status = 302,
+  headers?: Record<string, string>,
+): Response {
+  if (ngDevMode && !isValidRedirectResponseCode(status)) {
+    throw new Error(
+      `Invalid redirect status code: ${status}. ` +
+        `Please use one of the following redirect response codes: ${[...VALID_REDIRECT_RESPONSE_CODES.values()].join(', ')}.`,
+    );
+  }
+
+  const resHeaders = new Headers(headers);
+  if (ngDevMode && resHeaders.has('location')) {
+    // eslint-disable-next-line no-console
+    console.warn(
+      `Location header "${resHeaders.get('location')}" will ignored and set to "${location}".`,
+    );
+  }
+
+  let vary = resHeaders.get('Vary') ?? '';
+  if (vary) {
+    vary += ', ';
+  }
+  vary += 'X-Forwarded-Prefix';
+
+  resHeaders.set('Vary', vary);
+  resHeaders.set('Location', location);
+
+  return new Response(null, {
+    status,
+    headers: resHeaders,
+  });
+}

packages/angular/ssr/test/utils/redirect_spec.ts

@@ -0,0 +1,60 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import { createRedirectResponse } from '../../src/utils/redirect';
+
+describe('Redirect Utils', () => {
+  describe('createRedirectResponse', () => {
+    it('should create a redirect response with default status 302', () => {
+      const response = createRedirectResponse('/home');
+      expect(response.status).toBe(302);
+      expect(response.headers.get('Location')).toBe('/home');
+      expect(response.headers.get('Vary')).toBe('X-Forwarded-Prefix');
+    });
+
+    it('should create a redirect response with a custom status', () => {
+      const response = createRedirectResponse('/home', 301);
+      expect(response.status).toBe(301);
+      expect(response.headers.get('Location')).toBe('/home');
+    });
+
+    it('should allow providing additional headers', () => {
+      const response = createRedirectResponse('/home', 302, { 'X-Custom': 'value' });
+      expect(response.headers.get('X-Custom')).toBe('value');
+      expect(response.headers.get('Location')).toBe('/home');
+      expect(response.headers.get('Vary')).toBe('X-Forwarded-Prefix');
+    });
+
+    it('should append to Vary header instead of overriding it', () => {
+      const response = createRedirectResponse('/home', 302, {
+        'Location': '/evil',
+        'Vary': 'Host',
+      });
+      expect(response.headers.get('Location')).toBe('/home');
+      expect(response.headers.get('Vary')).toBe('Host, X-Forwarded-Prefix');
+    });
+
+    it('should warn if Location header is provided in extra headers in dev mode', () => {
+      // @ts-expect-error accessing global
+      globalThis.ngDevMode = true;
+      const warnSpy = spyOn(console, 'warn');
+      createRedirectResponse('/home', 302, { 'Location': '/evil' });
+      expect(warnSpy).toHaveBeenCalledWith(
+        'Location header "/evil" will ignored and set to "/home".',
+      );
+    });
+
+    it('should throw error for invalid redirect status code in dev mode', () => {
+      // @ts-expect-error accessing global
+      globalThis.ngDevMode = true;
+      expect(() => createRedirectResponse('/home', 200)).toThrowError(
+        /Invalid redirect status code: 200/,
+      );
+    });
+  });
+});