Middlware: Prevented caching of all app requests
Previously we'd prevent caching of authed responses for security (prevent back cache or proxy caching) but caching could still be an issue in non-auth scenarios due to CSRF (eg. returning to login screen after session expiry). For #4600
This commit is contained in:
parent
9b4f1fb981
commit
7c4dc981cd
3 changed files with 12 additions and 11 deletions
|
@ -15,6 +15,7 @@ class Kernel extends HttpKernel
|
||||||
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
|
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
|
||||||
\BookStack\Http\Middleware\TrimStrings::class,
|
\BookStack\Http\Middleware\TrimStrings::class,
|
||||||
\BookStack\Http\Middleware\TrustProxies::class,
|
\BookStack\Http\Middleware\TrustProxies::class,
|
||||||
|
\BookStack\Http\Middleware\PreventResponseCaching::class,
|
||||||
];
|
];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -30,7 +31,6 @@ class Kernel extends HttpKernel
|
||||||
\Illuminate\Session\Middleware\StartSession::class,
|
\Illuminate\Session\Middleware\StartSession::class,
|
||||||
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
||||||
\BookStack\Http\Middleware\VerifyCsrfToken::class,
|
\BookStack\Http\Middleware\VerifyCsrfToken::class,
|
||||||
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
|
|
||||||
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
||||||
\BookStack\Http\Middleware\RunThemeActions::class,
|
\BookStack\Http\Middleware\RunThemeActions::class,
|
||||||
\BookStack\Http\Middleware\Localization::class,
|
\BookStack\Http\Middleware\Localization::class,
|
||||||
|
@ -40,7 +40,6 @@ class Kernel extends HttpKernel
|
||||||
\BookStack\Http\Middleware\EncryptCookies::class,
|
\BookStack\Http\Middleware\EncryptCookies::class,
|
||||||
\BookStack\Http\Middleware\StartSessionIfCookieExists::class,
|
\BookStack\Http\Middleware\StartSessionIfCookieExists::class,
|
||||||
\BookStack\Http\Middleware\ApiAuthenticate::class,
|
\BookStack\Http\Middleware\ApiAuthenticate::class,
|
||||||
\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
|
|
||||||
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
\BookStack\Http\Middleware\CheckEmailConfirmed::class,
|
||||||
],
|
],
|
||||||
];
|
];
|
||||||
|
|
|
@ -5,7 +5,7 @@ namespace BookStack\Http\Middleware;
|
||||||
use Closure;
|
use Closure;
|
||||||
use Symfony\Component\HttpFoundation\Response;
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
|
|
||||||
class PreventAuthenticatedResponseCaching
|
class PreventResponseCaching
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* Handle an incoming request.
|
* Handle an incoming request.
|
||||||
|
@ -20,11 +20,8 @@ class PreventAuthenticatedResponseCaching
|
||||||
/** @var Response $response */
|
/** @var Response $response */
|
||||||
$response = $next($request);
|
$response = $next($request);
|
||||||
|
|
||||||
if (!user()->isGuest()) {
|
$response->headers->set('Cache-Control', 'no-cache, no-store, private');
|
||||||
$response->headers->set('Cache-Control', 'max-age=0, no-store, private');
|
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||||
$response->headers->set('Pragma', 'no-cache');
|
|
||||||
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
|
||||||
}
|
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
|
@ -139,12 +139,17 @@ class SecurityHeaderTest extends TestCase
|
||||||
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
|
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
|
public function test_cache_control_headers_are_set_on_responses()
|
||||||
{
|
{
|
||||||
|
// Public access
|
||||||
|
$resp = $this->get('/');
|
||||||
|
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
|
||||||
|
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||||
|
|
||||||
|
// Authed access
|
||||||
$this->asEditor();
|
$this->asEditor();
|
||||||
$resp = $this->get('/');
|
$resp = $this->get('/');
|
||||||
$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
|
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
|
||||||
$resp->assertHeader('Pragma', 'no-cache');
|
|
||||||
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue