From 2be9dc2a00e307133231ed004b0065c450e4455b Mon Sep 17 00:00:00 2001
From: Ryanba <92616678+Gujiassh@users.noreply.github.com>
Date: Tue, 10 Mar 2026 20:39:26 +0900
Subject: [PATCH 1/2] fix(server): filter hop-by-hop proxy headers

---
 server/src/api/lifecycle.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/server/src/api/lifecycle.py b/server/src/api/lifecycle.py
index 807d57fd..19883b4e 100644
--- a/server/src/api/lifecycle.py
+++ b/server/src/api/lifecycle.py
@@ -466,10 +466,24 @@ async def proxy_sandbox_endpoint_request(request: Request, sandbox_id: str, port
 
         resp = await client.send(req, stream=True)
 
+        hop_by_hop = set(HOP_BY_HOP_HEADERS)
+        connection_header = resp.headers.get("connection")
+        if connection_header:
+            hop_by_hop.update(
+                header.strip().lower()
+                for header in connection_header.split(",")
+                if header.strip()
+            )
+        response_headers = {
+            key: value
+            for key, value in resp.headers.items()
+            if key.lower() not in hop_by_hop
+        }
+
         return StreamingResponse(
             content=resp.aiter_bytes(),
             status_code=resp.status_code,
-            headers=resp.headers,
+            headers=response_headers,
         )
     except httpx.ConnectError as e:
         raise HTTPException(

From 9d50fe418dc2d98729b5ce3da99b7fdf5261a828 Mon Sep 17 00:00:00 2001
From: Ryanba <92616678+Gujiassh@users.noreply.github.com>
Date: Tue, 10 Mar 2026 22:29:02 +0900
Subject: [PATCH 2/2] fix(server): honor Connection hop-by-hop headers

---
 server/src/api/lifecycle.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/src/api/lifecycle.py b/server/src/api/lifecycle.py
index 19883b4e..729e22c1 100644
--- a/server/src/api/lifecycle.py
+++ b/server/src/api/lifecycle.py
@@ -440,12 +440,20 @@ async def proxy_sandbox_endpoint_request(request: Request, sandbox_id: str, port
 
     try:
         # Filter headers
+        hop_by_hop = set(HOP_BY_HOP_HEADERS)
+        connection_header = request.headers.get("connection")
+        if connection_header:
+            hop_by_hop.update(
+                header.strip().lower()
+                for header in connection_header.split(",")
+                if header.strip()
+            )
         headers = {}
         for key, value in request.headers.items():
             key_lower = key.lower()
             if (
                 key_lower != "host"
-                and key_lower not in HOP_BY_HOP_HEADERS
+                and key_lower not in hop_by_hop
                 and key_lower not in SENSITIVE_HEADERS
             ):
                 headers[key] = value