Can't set headers in hooks.server handle function in vercel

[IslamZaoui]

Hello, I was trying to add security headers to my sveltekit web app:

const handleSecurityHeaders: Handle = async ({ event, resolve }) => {
    const response = await resolve(event)

    response.headers.set('X-Frame-Options', 'SAMEORIGIN')
    response.headers.set('X-Content-Type-Options', 'nosniff')
    response.headers.set('Referrer-Policy', 'no-referrer-when-downgrade')
    response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
    response.headers.set('Access-Control-Allow-Origin', config.site_url || '*')

    return response
}

the headers appear when I'm in dev mode but when I deploy it to Vercel I can't see them until I add them to vercel.json

{
	"$schema": "https://openapi.vercel.sh/vercel.json",
	"headers": [
		{
			"source": "/(.*)",
			"headers": [
				{ "key": "Access-Control-Allow-Origin", "value": "https://islamzaoui.top" },
				{ "key": "X-Frame-Options", "value": "SAMEORIGIN" },
				{ "key": "X-Content-Type-Options", "value": "nosniff" },
				{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
				{ "key": "Permissions-Policy", "value": "geolocation=(), camera=(), microphone=()" }
			]
		}
	]
}

any suggestions?

[brunnerh]

The request event has a separate setHeaders function for setting headers.
This function has to be used before calling resolve.

const handleSecurityHeaders: Handle = async ({ event, resolve }) => {
  event.setHeaders({
    'X-Frame-Options': 'SAMEORIGIN',
    'X-Content-Type-Options': 'nosniff',
    'Referrer-Policy': 'no-referrer-when-downgrade',
    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
    'Access-Control-Allow-Origin': config.site_url || '*',
  });

  return await resolve(event);
};

(The function also exists for load functions and cookies need to be set separately.)

[IslamZaoui]

same issue, I added it to hooks.server.ts and removed headers from vercel.json then deployed it to Vercel:

I only get the result that I want when I add headers to vercel.json

[brunnerh]

There isn't anything about headers in the docs of the adapter, so if the headers are not applied this is can probably be considered a bug. Would recommend reporting it as an actual issue (if there is none yet).

[IslamZaoui]

After troubleshooting in a fresh repo I found out that export const prerender = true; in +layout.ts caused this problem

when prerendering is on the headers disappear in the production (both in vercel and local preview)