Add Cache-Control "no-store" to all dynamically generated content #39550

potiuk · 2024-05-10T15:16:08Z

This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default).

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default).

potiuk · 2024-05-10T15:18:15Z

Dynamic content:

Static content:

…ache#39550) This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default).

…9550) This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default). (cherry picked from commit 94eb647)

…ache#39550) This one prevents accidental storing of dynamic content containing potentially sensitive data in cache. The way we implemented it, we check if the response already contains "Cache-Control" - if it does then it means that this is a static content with default cache control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default).

potiuk requested review from ryanahamilton, ashb, bbovenzi and pierrejeambrun as code owners May 10, 2024 15:16

boring-cyborg bot added the area:webserver Webserver related Issues label May 10, 2024

potiuk requested review from hussein-awala, jedcunningham and jscheffl May 10, 2024 15:16

potiuk added this to the Airflow 2.9.2 milestone May 10, 2024

hussein-awala approved these changes May 10, 2024

View reviewed changes

potiuk merged commit 94eb647 into apache:main May 10, 2024
39 checks passed

potiuk deleted the add-cache-control-headers branch May 10, 2024 17:54

utkarsharma2 added the type:improvement Changelog: Improvements label Jun 3, 2024

utkarsharma2 added type:bug-fix Changelog: Bug Fixes and removed type:improvement Changelog: Improvements labels Jun 4, 2024

utkarsharma2 mentioned this pull request Jun 6, 2024

Status of testing of Apache Airflow 2.9.2rc1 #40093

Closed

41 tasks

GoVulnBot mentioned this pull request Jun 14, 2024

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-25142 golang/vulndb#2925

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Cache-Control "no-store" to all dynamically generated content #39550

Add Cache-Control "no-store" to all dynamically generated content #39550

potiuk commented May 10, 2024

potiuk commented May 10, 2024

Add Cache-Control "no-store" to all dynamically generated content #39550

Add Cache-Control "no-store" to all dynamically generated content #39550

Conversation

potiuk commented May 10, 2024

potiuk commented May 10, 2024