fix: set ETag and Cache-Control headers on embedded fallback assets

Embedded assets (style.css, index.html, 404.html) served via
serveEmbedded() and serveNotFound() were missing ETag, Cache-Control,
and Vary headers, preventing conditional request (304) support.

Both paths now emit the same caching headers as the regular disk/cache
path, respecting the enable_etags config flag. Three new tests cover
ETag on/off and Cache-Control max-age for the embedded path.

Landing page updated to reflect full ETag coverage across all assets.

Author: jkyberneees

internal/handler/file.go

@@ -383,8 +383,18 @@ func (h *FileHandler) serveEmbedded(ctx *fasthttp.RequestCtx, urlPath string) bo
 		return false
 	}
 	ct := detectContentType(name, data)
+	etag := computeETag(data)
+
 	ctx.Response.Header.Set("Content-Type", ct)
 	ctx.Response.Header.Set("X-Cache", "MISS")
+
+	// Set ETag and Cache-Control headers for embedded assets.
+	if h.cfg.Headers.EnableETags {
+		ctx.Response.Header.Set("ETag", `W/"`+etag+`"`)
+	}
+	ctx.Response.Header.Set("Cache-Control", "public, max-age="+strconv.Itoa(h.cfg.Headers.StaticMaxAge))
+	ctx.Response.Header.Add("Vary", "Accept-Encoding")
+
 	ctx.SetStatusCode(fasthttp.StatusOK)
 	ctx.SetBody(data)
 	return true
@@ -405,6 +415,13 @@ func (h *FileHandler) serveNotFound(ctx *fasthttp.RequestCtx) {
 	// Fall back to the embedded default 404.html.
 	if data, err := fs.ReadFile(defaults.FS, "public/404.html"); err == nil {
 		ctx.Response.Header.Set("Content-Type", "text/html; charset=utf-8")
+
+		// Set ETag for embedded 404 page.
+		if h.cfg.Headers.EnableETags {
+			etag := computeETag(data)
+			ctx.Response.Header.Set("ETag", `W/"`+etag+`"`)
+		}
+
 		ctx.SetStatusCode(fasthttp.StatusNotFound)
 		ctx.SetBody(data)
 		return

internal/handler/file_test.go

@@ -618,6 +618,82 @@ func TestEmbedFallback_404HTML(t *testing.T) {
 	}
 }
 
+// TestEmbedFallback_StyleCSS_ETag verifies that /style.css served from the
+// embedded FS includes an ETag header when enable_etags is true, and omits it
+// when enable_etags is false.
+func TestEmbedFallback_StyleCSS_ETag(t *testing.T) {
+	t.Run("etag enabled", func(t *testing.T) {
+		cfg := setupEmptyRootCfg(t)
+		cfg.Headers.EnableETags = true
+		c := cache.NewCache(cfg.Cache.MaxBytes)
+		h := handler.BuildHandler(cfg, c)
+
+		ctx := newTestCtx("GET", "/style.css")
+		h(ctx)
+
+		if ctx.Response.StatusCode() != fasthttp.StatusOK {
+			t.Fatalf("status = %d, want 200", ctx.Response.StatusCode())
+		}
+		etag := string(ctx.Response.Header.Peek("ETag"))
+		if etag == "" {
+			t.Error("ETag header must be set on embedded style.css when enable_etags=true")
+		}
+	})
+
+	t.Run("etag disabled", func(t *testing.T) {
+		cfg := setupEmptyRootCfg(t)
+		cfg.Headers.EnableETags = false
+		c := cache.NewCache(cfg.Cache.MaxBytes)
+		h := handler.BuildHandler(cfg, c)
+
+		ctx := newTestCtx("GET", "/style.css")
+		h(ctx)
+
+		etag := string(ctx.Response.Header.Peek("ETag"))
+		if etag != "" {
+			t.Errorf("ETag header must NOT be set when enable_etags=false, got %q", etag)
+		}
+	})
+}
+
+// TestEmbedFallback_404HTML_ETag verifies that the embedded 404.html includes
+// an ETag header when enable_etags is true.
+func TestEmbedFallback_404HTML_ETag(t *testing.T) {
+	cfg := setupEmptyRootCfg(t)
+	cfg.Headers.EnableETags = true
+	cfg.Files.NotFound = ""
+	c := cache.NewCache(cfg.Cache.MaxBytes)
+	h := handler.BuildHandler(cfg, c)
+
+	ctx := newTestCtx("GET", "/totally-unknown-file.xyz")
+	h(ctx)
+
+	if ctx.Response.StatusCode() != fasthttp.StatusNotFound {
+		t.Fatalf("status = %d, want 404", ctx.Response.StatusCode())
+	}
+	etag := string(ctx.Response.Header.Peek("ETag"))
+	if etag == "" {
+		t.Error("ETag header must be set on embedded 404.html when enable_etags=true")
+	}
+}
+
+// TestEmbedFallback_StyleCSS_CacheControl verifies that /style.css served from
+// the embedded FS includes a Cache-Control header with the configured max-age.
+func TestEmbedFallback_StyleCSS_CacheControl(t *testing.T) {
+	cfg := setupEmptyRootCfg(t)
+	cfg.Headers.StaticMaxAge = 7200
+	c := cache.NewCache(cfg.Cache.MaxBytes)
+	h := handler.BuildHandler(cfg, c)
+
+	ctx := newTestCtx("GET", "/style.css")
+	h(ctx)
+
+	cc := string(ctx.Response.Header.Peek("Cache-Control"))
+	if !strings.Contains(cc, "max-age=7200") {
+		t.Errorf("Cache-Control = %q, want it to contain max-age=7200", cc)
+	}
+}
+
 // TestEmbedFallback_SubpathNotServed verifies that the embed fallback only
 // handles flat filenames. A URL like /sub/index.html must NOT be served from
 // the embedded FS (guard against sub-path traversal) and must return 404.

public/index.html

@@ -59,7 +59,8 @@
     <div class="kv"><span class="key ok">✓ cache</span>      <span class="val dim">in-memory LRU, configurable TTL</span></div>
     <div class="kv"><span class="key ok">✓ compress</span>   <span class="val dim">gzip on-the-fly + pre-compressed sidecar files</span></div>
     <div class="kv"><span class="key ok">✓ tls</span>        <span class="val dim">TLS 1.2 / 1.3, HTTP/2 via ALPN</span></div>
-    <div class="kv"><span class="key ok">✓ headers</span>    <span class="val dim">ETag, Cache-Control, CSP, CORS, HSTS</span></div>
+    <div class="kv"><span class="key ok">✓ etags</span>      <span class="val dim">SHA-256 ETags + 304 on all assets, incl. embedded fallbacks</span></div>
+    <div class="kv"><span class="key ok">✓ headers</span>    <span class="val dim">Cache-Control, CSP, CORS, HSTS</span></div>
     <div class="kv"><span class="key ok">✓ security</span>   <span class="val dim">dotfile blocking, security headers</span></div>
     <div class="kv"><span class="key ok">✓ graceful</span>   <span class="val dim">SIGHUP reload · SIGTERM drain &amp; shutdown</span></div>
   </div>