From fc83f4881a6695d51e23a18ce6efdd0ddb1c0ee9 Mon Sep 17 00:00:00 2001
From: Ralph Slooten <axllent@gmail.com>
Date: Sat, 13 Jun 2026 08:46:15 +1200
Subject: [PATCH] Fix: Adjust header setting order in error response functions
 (#699)

---
 server/apiv1/api.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/apiv1/api.go b/server/apiv1/api.go
index 718877c..b49459a 100644
--- a/server/apiv1/api.go
+++ b/server/apiv1/api.go
@@ -16,8 +16,8 @@ import (
 func fourOFour(w http.ResponseWriter) {
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
-	w.WriteHeader(http.StatusNotFound)
 	w.Header().Set("Content-Type", "text/plain")
+	w.WriteHeader(http.StatusNotFound)
 	_, _ = fmt.Fprint(w, "404 page not found")
 }
 
@@ -25,8 +25,8 @@ func fourOFour(w http.ResponseWriter) {
 func httpError(w http.ResponseWriter, msg string) {
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
-	w.WriteHeader(http.StatusBadRequest)
 	w.Header().Set("Content-Type", "text/plain")
+	w.WriteHeader(http.StatusBadRequest)
 	_, _ = fmt.Fprint(w, msg)
 }
 
@@ -34,10 +34,10 @@ func httpError(w http.ResponseWriter, msg string) {
 func httpJSONError(w http.ResponseWriter, msg string) {
 	w.Header().Set("Referrer-Policy", "no-referrer")
 	w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
+	w.Header().Add("Content-Type", "application/json")
 	w.WriteHeader(http.StatusBadRequest)
 	e := struct{ Error string }{Error: msg}
 
-	w.Header().Add("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(e); err != nil {
 		httpError(w, err.Error())
 	}