TL;DR — A bare /{slug} route (the default-locale catch-all) crashed with a ResponseSentError instead of returning a clean 404 when the requested slug only existed as an Indonesian-locale post. The cause: the entry lookup on that route had no locale filter, so it matched across locales, started rendering, then tried to redirect to 404 after the response stream had already begun.
A catch-all src/pages/[slug].astro route called an entry lookup for both posts and pages with no locale argument.
Without a locale filter, that lookup matches by slug across every locale — so a slug that only exists as an id-locale post gets matched by the bare EN route too.
The route started rendering the post component (defaulting to locale "en"), which internally re-fetched with the correct locale, found nothing, and called Astro.redirect("/404") — but by then, streaming had already started.
// before
const entry = await getEmDashEntry("posts", slug);
// or
const entry = await getEmDashEntry("pages", slug);
// matches by slug across ALL locales -- no locale scoping at all
emdashkits.com
Fix
// after -- explicit locale on every entry lookup, even the "default" route
const entry = await getEmDashEntry("posts", slug, { locale: "en" });
const page = await getEmDashEntry("pages", slug, { locale: "en" });
// matches the pattern already used in src/pages/id/[slug].astro
A crash ("already sent"/500) instead of a clean 404 on a locale-prefixed site is very often a missing locale filter, not a routing config problem.
Always pass an explicit locale to entry lookups in locale-specific route files — including the bare/default-locale route, which is easy to assume doesn't need it since it "is" the default.
This is the same underlying family as doubled locale-prefix URL bugs — both come from treating a multi-locale entry lookup as if only one locale existed.
TL;DR — A custom session-cookie login flow appeared to succeed on localhost (the OTP verified, the response looked fine) but every subsequent request to a login-gated page treated the visitor as logged out. Identical code worked fine on the live HTTPS site. The cookie's Secure attribute was hardcoded to true — and per the cookie spec, browsers never store or send a Secure cookie over a plain, non-HTTPS connection.
Check the actual Set-Cookie response header and the browser's own cookie storage panel — on localhost over http://, the cookie is sent by the server but never actually stored by the browser.
Root cause
// before -- assumes the app is always served over HTTPS
setCookie("session", token, { secure: true, httpOnly: true });
emdashkits.com
A cookie config that quietly assumes "we're always on HTTPS" breaks the instant you test over plain HTTP, which local dev servers commonly are.
// after -- derive secure from the actual request protocol
const isHttps = request.url.startsWith("https://");
setCookie("session", token, { secure: isHttps, httpOnly: true });
emdashkits.com
Lessons learned
Any Secure-flagged cookie needs to key off the real request scheme, not an assumption baked in once at cookie-creation time.
"Works in production, silently fails in local dev" is a strong signal to check cookie flags before anything else in an auth flow.
Check other cookies in the same codebase for the same hardcoded assumption — if one cookie has this bug, sibling cookies set the same way are worth auditing too.
TL;DR — GA4's gtag.js snippet was installed correctly, the page loaded with no visible JavaScript error, and GA4's real-time report still showed zero activity. The CMS's default Content-Security-Policy had no allowance for analytics domains and no config option to add one — so every request to Google's tracking endpoints was blocked at the browser level before it could fail loudly.
Check the browser's dedicated CSP violation reporting, not the regular console error list — CSP blocks are reported through their own channel, not thrown as normal script errors, so "no console errors" doesn't mean nothing was blocked.
Root cause
The CSP's script-src and connect-src directives had no entry for googletagmanager.com or google-analytics.com, and the CMS exposed no configuration surface to add one — the only way in was patching the CSP directives directly.
// patch-package: add analytics domains to the existing CSP directives
scriptSrc.push("https://www.googletagmanager.com");
connectSrc.push("https://www.google-analytics.com", "https://www.googletagmanager.com");
"No console errors" is not proof nothing was blocked — CSP violations live in their own reporting surface and are easy to miss if you're only scanning for red error text.
Before adding any third-party script tag to a site with a CSP already in place, check the CSP's directives first rather than assuming a silently-empty analytics dashboard means a snippet-installation mistake.
Comments