Return a no-store Cache-Control header for newNonce (#4908)

The spec specifies (https://tools.ietf.org/html/rfc8555#section-7.2) that a `no-store` Cache-Control header is required in response to getting a new nonce. This PR makes that change specifically but does not modify other uses of the `no-cache` directive. Fixes #4727
letsencrypt · Jun 26, 2020 · 203ec13 · 203ec13
1 parent edee82d
commit 203ec13
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -515,12 +515,17 @@ func (wfe *WebFrontEndImpl) Nonce(
 	}
 
 	statusCode := http.StatusNoContent
-	// The ACME specification says GET requets should receive http.StatusNoContent
+	// The ACME specification says GET requests should receive http.StatusNoContent
 	// and HEAD/POST-as-GET requests should receive http.StatusOK.
 	if request.Method != "GET" {
 		statusCode = http.StatusOK
 	}
 	response.WriteHeader(statusCode)
+
+	// The ACME specification says the server MUST include a Cache-Control header
+	// field with the "no-store" directive in responses for the newNonce resource,
+	// in order to prevent caching of this resource.
+	response.Header().Set("Cache-Control", "no-store")
 }
 
 // sendError wraps web.SendError

diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -905,6 +905,11 @@ func TestNonceEndpoint(t *testing.T) {
 			// And the response should contain a valid nonce in the Replay-Nonce header
 			nonce := responseWriter.Header().Get("Replay-Nonce")
 			test.AssertEquals(t, wfe.nonceService.Valid(nonce), true)
+			// The server MUST include a Cache-Control header field with the "no-store"
+			// directive in responses for the newNonce resource, in order to prevent
+			// caching of this resource.
+			cacheControl := responseWriter.Header().Get("Cache-Control")
+			test.AssertEquals(t, cacheControl, "no-store")
 		})
 	}
 }