AntFleet

Disagreement · 5502fb0d-anthropic-2

Matcher excludes static asset extensions only at end of path, missing query strings and case variants

mismatch
repo e24ef98c·PR #5·reviewed 2 weeks ago

Primary finding

Matcher excludes static asset extensions only at end of path, missing query strings and case variants

lowmaintainabilitymedium
  • apps/web/middleware.ts:49-53
The matcher anchors `.png$`, `.svg$`, `.ico$` to end-of-pathname. Next.js matchers run against the pathname (not including query), so query strings aren't a concern, but uppercase extensions (e.g., `/logo.PNG`) would still trigger middleware and have security headers applied. Applying security headers to images is harmless (in fact arguably desirable), so this is not a bug — but it's also not what the comment 'static asset files' implies. Other common static assets (`.jpg`, `.jpeg`, `.webp`, `.gif`, `.css`, `.js`, `.woff2`) are not excluded and will hit middleware on every request, adding latency at edge. Worth a sanity-check whether the exclusion list is intentional or partial.

Recommendation

Either broaden the exclusion list to cover all served static asset types, or confirm in a comment that running middleware on most static files is intentional (security headers on JS/CSS are valuable; on images they're neutral).

Counterpart finding

Outdated/misleading test comment about importing SECURITY_HEADERS

lowdocs-gaphigh
  • apps/web/middleware.test.ts:8-10
  • apps/web/middleware.test.ts:12
  • apps/web/middleware.test.ts:19-21
  • apps/web/middleware.ts:13
  • apps/web/middleware.ts:44
The test file comment claims SECURITY_HEADERS is imported via re-export and tested directly, but the code instantiates the middleware and inspects the resulting response headers. SECURITY_HEADERS is not exported from middleware.ts, making the comment inaccurate/outdated.

Recommendation

Update the test comment to reflect the actual approach (calling middleware and inspecting the response). Alternatively, export SECURITY_HEADERS from middleware.ts and adjust the test to import and validate it directly, if that approach is preferred.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗