From 0920ae90eafbdb8c09f6ef7e2f0a1a520fee1e08 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Fri, 10 May 2024 19:54:03 +0200 Subject: [PATCH] Add Cache-Control "no-store" to all dynamically generated content (#39550) This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default). (cherry picked from commit 94eb647de692a4d9555b02dce85974da5d4c04e3) --- airflow/www/app.py | 2 ++ airflow/www/extensions/init_security.py | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/airflow/www/app.py b/airflow/www/app.py index 7f4405321f3ef..31106b05eb60f 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -44,6 +44,7 @@ from airflow.www.extensions.init_robots import init_robots from airflow.www.extensions.init_security import ( init_api_experimental_auth, + init_cache_control, init_check_user_active, init_xframe_protection, ) @@ -179,6 +180,7 @@ def create_app(config=None, testing=False): init_jinja_globals(flask_app) init_xframe_protection(flask_app) + init_cache_control(flask_app) init_airflow_session_interface(flask_app) init_check_user_active(flask_app) return flask_app diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py index a7739e323160c..8bf2c29fbfbe3 100644 --- a/airflow/www/extensions/init_security.py +++ b/airflow/www/extensions/init_security.py @@ -66,6 +66,15 @@ def init_api_experimental_auth(app): raise AirflowException(err) +def init_cache_control(app): + def apply_cache_control(response): + if "Cache-Control" not in response.headers: + response.headers["Cache-Control"] = "no-store" + return response + + app.after_request(apply_cache_control) + + def init_check_user_active(app): @app.before_request def check_user_active():