Add Cache-Control: private, no-store HTTP header to server endpoint…

…s that respond with sensitive info. Fixes #793
smallstep · Jul 20, 2023 · 2b8a417 · 2b8a417
1 parent d604a90
commit 2b8a417
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/authority/admin/api/provisioner.go b/authority/admin/api/provisioner.go
@@ -55,6 +55,8 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
 		render.Error(w, err)
 		return
 	}
+
+	w.Header().Set("Cache-Control", "private, no-store")
 	render.ProtoJSON(w, prov)
 }
 
@@ -72,6 +74,7 @@ func GetProvisioners(w http.ResponseWriter, r *http.Request) {
 		render.Error(w, errs.InternalServerErr(err))
 		return
 	}
+
 	render.JSON(w, &GetProvisionersResponse{
 		Provisioners: p,
 		NextCursor:   next,
@@ -102,6 +105,8 @@ func CreateProvisioner(w http.ResponseWriter, r *http.Request) {
 		render.Error(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
 		return
 	}
+
+	w.Header().Set("Cache-Control", "private, no-store")
 	render.ProtoJSONStatus(w, prov, http.StatusCreated)
 }
 
@@ -198,6 +203,8 @@ func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
 		render.Error(w, err)
 		return
 	}
+
+	w.Header().Set("Cache-Control", "private, no-store")
 	render.ProtoJSON(w, nu)
 }
 

diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go
@@ -127,6 +127,7 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 		return
 	}
 
+	w.Header().Set("Cache-Control", "private, no-store")
 	render.ProtoJSONStatus(w, newWebhook, http.StatusCreated)
 }
 
@@ -231,5 +232,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 		Auth:                 newWebhook.Auth,
 		DisableTlsClientAuth: newWebhook.DisableTlsClientAuth,
 	}
+
+	w.Header().Set("Cache-Control", "private, no-store")
 	render.ProtoJSONStatus(w, whResponse, http.StatusCreated)
 }