-
-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[huntr] adding cache control headers to the admin area #3097
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not very familiar with that header, but it looks fine to me.
I haven't read the bounty issue though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using this header on all routes seems overkill, does it not? From what I've seen online, it should be possible to only apply these headers on the logout route, and that will invalidate the cache from the past too.
We also need extra headers to make sure all browsers invalidate the cache correctly. See this from when I started to work on this.
Using the header on the admin routes is fine. Because that is what generates the HTML. Applying them only on the logout route will invalidate cache on that route, but it already has no cache. It's the HTML that might be cached and share data from the logged out admin. |
Gotcha. Looks good to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code makes sense, haven't tested locally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Fixes https://huntr.dev/bounties/73176569-c102-47ad-9e95-17dd344a8847/
Changes proposed in this pull request:
This PR forces the
Cache-Control: no-store, max-age=0
header to the response in the Admin Area. This forces cache to be ignored upon browsing back and forth between pages using the browser controls. Although absolutely no fail safe, it should provide better protection against serving cached pages once an admin has signed out.Reviewers should focus on:
For now, I don't think we need to push this onto the Forum frontend, but we do need to start looking into cache control soon. Perhaps I can tease @BartVB to write some directions in the headers to apply for us as cache control is quite an expertise.