fix(security): add Vary: Origin and avoid double CORS on form routes

- Set Vary: Origin whenever CORS Allow-Origin is not '*' (proxy +
  addCorsHeaders) to prevent shared caches from serving the wrong
  reflected origin
- Skip middleware CORS for /api/form/* non-OPTIONS; route handler's
  addCorsHeaders owns the reflected-origin response to avoid the same
  header being written twice
- Comment why /api/* short-circuits before handleSecurityFiltering

Author: waleedlatif1

apps/sim/lib/core/security/deployment.ts

@@ -106,6 +106,7 @@ export function addCorsHeaders(response: NextResponse, request: NextRequest): Ne
     response.headers.set('Access-Control-Allow-Origin', origin)
     response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
     response.headers.set('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With')
+    response.headers.set('Vary', 'Origin')
   }
 
   return response

apps/sim/proxy.ts

@@ -85,6 +85,9 @@ function applyCorsHeaders(response: NextResponse, policy: CorsPolicy): void {
   response.headers.set('Access-Control-Allow-Credentials', String(policy.credentials))
   response.headers.set('Access-Control-Allow-Methods', policy.methods)
   response.headers.set('Access-Control-Allow-Headers', policy.headers)
+  if (policy.origin !== '*') {
+    response.headers.set('Vary', 'Origin')
+  }
 }
 
 /**
@@ -212,11 +215,19 @@ function handleSecurityFiltering(request: NextRequest): NextResponse | null {
 export async function proxy(request: NextRequest) {
   const url = request.nextUrl
 
+  // /api/* short-circuits before handleSecurityFiltering — UA filtering was
+  // never applied to API routes under the prior matcher, and webhook/MCP
+  // exemptions in handleSecurityFiltering exist for non-API paths under /.
   if (url.pathname.startsWith('/api/')) {
     const policy = resolveApiCorsPolicy(request)
     if (request.method === 'OPTIONS') {
       return buildPreflightResponse(policy)
     }
+    // Form routes reflect origin via addCorsHeaders in the route handler;
+    // skip middleware CORS here so the same header isn't written twice.
+    if (url.pathname === '/api/form' || url.pathname.startsWith('/api/form/')) {
+      return NextResponse.next()
+    }
     const response = NextResponse.next()
     applyCorsHeaders(response, policy)
     return response