Middlware: Prevented caching of all app requests
Previously we'd prevent caching of authed responses for security (prevent back cache or proxy caching) but caching could still be an issue in non-auth scenarios due to CSRF (eg. returning to login screen after session expiry). For #4600
This commit is contained in:
parent
9b4f1fb981
commit
7c4dc981cd
3 changed files with 12 additions and 11 deletions
|
@ -15,6 +15,7 @@ class Kernel extends HttpKernel
|
|||
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
|
||||
\BookStack\Http\Middleware\TrimStrings::class,
|
||||
\BookStack\Http\Middleware\TrustProxies::class,
|
||||
\BookStack\Http\Middleware\PreventResponseCaching::class,
|
||||
];
|
||||
|
||||
/**
|
||||
|
@ -30,7 +31,6 @@ class Kernel extends HttpKernel
|
|||
\Illuminate\Session\Middleware\StartSession::class,
|
||||
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
||||
\BookStack\Http\Middleware\VerifyCsrfToken::class,
|
||||
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
|
||||
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
||||
\BookStack\Http\Middleware\RunThemeActions::class,
|
||||
\BookStack\Http\Middleware\Localization::class,
|
||||
|
@ -40,7 +40,6 @@ class Kernel extends HttpKernel
|
|||
\BookStack\Http\Middleware\EncryptCookies::class,
|
||||
\BookStack\Http\Middleware\StartSessionIfCookieExists::class,
|
||||
\BookStack\Http\Middleware\ApiAuthenticate::class,
|
||||
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
|
||||
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
||||
],
|
||||
];
|
||||
|
|
|
@ -5,7 +5,7 @@ namespace BookStack\Http\Middleware;
|
|||
use Closure;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class PreventAuthenticatedResponseCaching
|
||||
class PreventResponseCaching
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
|
@ -20,11 +20,8 @@ class PreventAuthenticatedResponseCaching
|
|||
/** @var Response $response */
|
||||
$response = $next($request);
|
||||
|
||||
if (!user()->isGuest()) {
|
||||
$response->headers->set('Cache-Control', 'max-age=0, no-store, private');
|
||||
$response->headers->set('Pragma', 'no-cache');
|
||||
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||
}
|
||||
$response->headers->set('Cache-Control', 'no-cache, no-store, private');
|
||||
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||
|
||||
return $response;
|
||||
}
|
|
@ -139,12 +139,17 @@ class SecurityHeaderTest extends TestCase
|
|||
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
|
||||
}
|
||||
|
||||
public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
|
||||
public function test_cache_control_headers_are_set_on_responses()
|
||||
{
|
||||
// Public access
|
||||
$resp = $this->get('/');
|
||||
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
|
||||
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||
|
||||
// Authed access
|
||||
$this->asEditor();
|
||||
$resp = $this->get('/');
|
||||
$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
|
||||
$resp->assertHeader('Pragma', 'no-cache');
|
||||
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
|
||||
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue