Add Cache-Control "no-store" to all dynamically generated content (#3…

…9550) This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default). (cherry picked from commit 94eb647)
apache · Jun 5, 2024 · 0920ae9 · 0920ae9
1 parent faddcc2
commit 0920ae9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/airflow/www/app.py b/airflow/www/app.py
@@ -44,6 +44,7 @@
 from airflow.www.extensions.init_robots import init_robots
 from airflow.www.extensions.init_security import (
     init_api_experimental_auth,
+    init_cache_control,
     init_check_user_active,
     init_xframe_protection,
 )
@@ -179,6 +180,7 @@ def create_app(config=None, testing=False):
 
         init_jinja_globals(flask_app)
         init_xframe_protection(flask_app)
+        init_cache_control(flask_app)
         init_airflow_session_interface(flask_app)
         init_check_user_active(flask_app)
     return flask_app

diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py
@@ -66,6 +66,15 @@ def init_api_experimental_auth(app):
         raise AirflowException(err)
 
 
+def init_cache_control(app):
+    def apply_cache_control(response):
+        if "Cache-Control" not in response.headers:
+            response.headers["Cache-Control"] = "no-store"
+        return response
+
+    app.after_request(apply_cache_control)
+
+
 def init_check_user_active(app):
     @app.before_request
     def check_user_active():