HTTP caches can cache logged-in variant of dashboard pages

[simonw]

This happened to me with https://simonwillison.net/dashboard/tag-word-cloud/ - I created it while signed in, then when I viewed it in a signed-out browser window I saw this:

Cloudflare had cached the variant of the page seen by me when I was signed in.

[simonw]

I think the best fix here is to serve cache-control: private on any dashboard pages that are served to signed-in users.

[simonw]

I'm going to use django.utils.cache.add_never_cache_headers(response): https://github.com/django/django/blob/3.2.2/django/utils/cache.py#L270-L275

[simonw]

Actually I have cache-control: private logic already, but it's overly-complex - and it misses the case where the user is signed in and hence seeing a custom version of the page.

I'm going to simplify the logic: if the user is logged in, the page doesn't get cached.