🐛 [Bug] Download endpoints lack Cache-Control headers (Potential stale/cross-user cache data)

[PranavAgarkar07]

The Problem 🕵️‍♂️

Hey contributors! We noticed a small consistency gap in how our backend handles HTTP headers.

Right now, endpoints like /stats, /heartbeat, /upload, and /request-transfer explicitly tell browsers and local networks not to cache data by setting security headers. However, our file download endpoints (/download and /download/{idx}) are completely missing these headers.

On a shared local area network (LAN), like a college hostel Wi-Fi or a coworking space, intermediate proxies, browser caches, or aggressive service workers could accidentally cache file content. This means a user might pull a stale or incorrect file instead of the fresh stream. Since the download endpoints handle sensitive user files, we need them to be perfectly secure!

Where to Look 📂

Pop open beamsync/server.go and head down to the StartSender() function. You'll find two distinct handlers:

1. Single-file handler (around line 1347): mux.HandleFunc("/download", ...)
2. Multi-file handler (around line 1419): mux.HandleFunc("/download/{idx}", ...)

Both are tucked inside the if len(filePaths) == 1 and else conditional blocks.

The Goal 🎯

1. Inject the standard cache-busting header right after setCORSHeaders(w, r) is invoked in both download handlers:

   w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")

2. Spin up the server locally and verify the header presence using your terminal:

   curl -v http://localhost:PORT/download?token=YOUR_TOKEN

3. Ensure all existing backend tests still pass cleanly!

[sanudking]

Hello @PranavAgarkar07! I'd like to contribute to this issue. I'm a GSSoC 2026 contributor with skills in Typescript. Would you assign this to me? I'll keep you updated on progress.