Middlware: Prevented caching of all app requests

Previously we'd prevent caching of authed responses for security
(prevent back cache or proxy caching) but caching could still be an
issue in non-auth scenarios due to CSRF (eg. returning to login screen after
session expiry).

For #4600
This commit is contained in:
Dan Brown 2023-10-23 13:32:15 +01:00
parent 9b4f1fb981
commit 7c4dc981cd
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
3 changed files with 12 additions and 11 deletions

View file

@ -15,6 +15,7 @@ class Kernel extends HttpKernel
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class, \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\BookStack\Http\Middleware\TrimStrings::class, \BookStack\Http\Middleware\TrimStrings::class,
\BookStack\Http\Middleware\TrustProxies::class, \BookStack\Http\Middleware\TrustProxies::class,
\BookStack\Http\Middleware\PreventResponseCaching::class,
]; ];
/** /**
@ -30,7 +31,6 @@ class Kernel extends HttpKernel
\Illuminate\Session\Middleware\StartSession::class, \Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class,
\BookStack\Http\Middleware\VerifyCsrfToken::class, \BookStack\Http\Middleware\VerifyCsrfToken::class,
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class, \BookStack\Http\Middleware\CheckEmailConfirmed::class,
\BookStack\Http\Middleware\RunThemeActions::class, \BookStack\Http\Middleware\RunThemeActions::class,
\BookStack\Http\Middleware\Localization::class, \BookStack\Http\Middleware\Localization::class,
@ -40,7 +40,6 @@ class Kernel extends HttpKernel
\BookStack\Http\Middleware\EncryptCookies::class, \BookStack\Http\Middleware\EncryptCookies::class,
\BookStack\Http\Middleware\StartSessionIfCookieExists::class, \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
\BookStack\Http\Middleware\ApiAuthenticate::class, \BookStack\Http\Middleware\ApiAuthenticate::class,
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
\BookStack\Http\Middleware\CheckEmailConfirmed::class, \BookStack\Http\Middleware\CheckEmailConfirmed::class,
], ],
]; ];

View file

@ -5,7 +5,7 @@ namespace BookStack\Http\Middleware;
use Closure; use Closure;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
class PreventAuthenticatedResponseCaching class PreventResponseCaching
{ {
/** /**
* Handle an incoming request. * Handle an incoming request.
@ -20,11 +20,8 @@ class PreventAuthenticatedResponseCaching
/** @var Response $response */ /** @var Response $response */
$response = $next($request); $response = $next($request);
if (!user()->isGuest()) { $response->headers->set('Cache-Control', 'no-cache, no-store, private');
$response->headers->set('Cache-Control', 'max-age=0, no-store, private'); $response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
$response->headers->set('Pragma', 'no-cache');
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
}
return $response; return $response;
} }

View file

@ -139,12 +139,17 @@ class SecurityHeaderTest extends TestCase
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader); $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
} }
public function test_cache_control_headers_are_strict_on_responses_when_logged_in() public function test_cache_control_headers_are_set_on_responses()
{ {
// Public access
$resp = $this->get('/');
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
// Authed access
$this->asEditor(); $this->asEditor();
$resp = $this->get('/'); $resp = $this->get('/');
$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private'); $resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
$resp->assertHeader('Pragma', 'no-cache');
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT'); $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
} }