trojs · w3nl · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/src/handlers/not-found.js b/src/handlers/not-found.js
@@ -1,5 +1,7 @@
 export const notFound = (_context, request, response) => {
-  response.status(404)
+  if (!response.headersSent) {
+    response.status(404)
+  }
   return {
     status: 404,
     timestamp: new Date(),

diff --git a/src/handlers/request-validation.js b/src/handlers/request-validation.js
@@ -1,5 +1,7 @@
 export const requestValidation = (context, request, response) => {
-  response.status(400)
+  if (!response.headersSent) {
+    response.status(400)
+  }
   return {
     errors: context.validation.errors,
     status: 400,

diff --git a/src/handlers/response-validation.js b/src/handlers/response-validation.js
@@ -1,4 +1,9 @@
 export default (logger, validateResponse) => (context, request, response) => {
+  // Prevent sending response if headers are already sent (e.g., after redirect)
+  if (response.headersSent) {
+    return undefined
+  }
+
   const responseDoesntNeedValidation = response.statusCode >= 400
   if (responseDoesntNeedValidation) {
     return response.json(context.response)
@@ -22,12 +27,15 @@ export default (logger, validateResponse) => (context, request, response) => {
         response: context.response
       })
     }
-    return response.status(502).json({
-      errors: valid.errors,
-      status: 502,
-      timestamp: new Date(),
-      message: 'Bad response'
-    })
+    if (!response.headersSent) {
+      return response.status(502).json({
+        errors: valid.errors,
+        status: 502,
+        timestamp: new Date(),
+        message: 'Bad response'
+      })
+    }
+    return undefined
   }
 
   if (!context.response) {

diff --git a/src/handlers/unauthorized.js b/src/handlers/unauthorized.js
@@ -1,5 +1,7 @@
 export const unauthorized = async (context, request, response) => {
-  response.status(401)
+  if (!response.headersSent) {
+    response.status(401)
+  }
   return {
     status: 401,
     timestamp: new Date(),