Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cache-Control: private, no-store headers where appropriate #793

Open
tashian opened this issue Jan 10, 2022 · 0 comments · May be fixed by #1471
Open

Add Cache-Control: private, no-store headers where appropriate #793

tashian opened this issue Jan 10, 2022 · 0 comments · May be fixed by #1471
Labels
enhancement good first issue quickfix

Comments

@tashian
Copy link
Contributor

tashian commented Jan 10, 2022
edited
Loading

The recommendation is to set Cache-Control: private, no-store on any endpoint with sensitive information. Because while you can protect the traffic with TLS, you also need to keep sensitive information out of a client's (unencrypted) HTTP cache. I'm not sure how relevant this is to the API context of step-ca though—I've never seen an HTTP client library that caches content. But I guess the point here is that a client could cache any content unless we tell it not to.
@tashian tashian added enhancement needs triage Waiting for discussion / prioritization by team labels Jan 10, 2022
@dopey dopey removed the needs triage Waiting for discussion / prioritization by team label Jan 12, 2022
km274 added a commit to km274/certificates that referenced this issue Jul 10, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
4d3f79a 
…s that respond with sensitive info.

Fixes smallstep#793
@km274 km274 linked a pull request Jul 10, 2023 that will close this issue
Open
km274 added a commit to km274/certificates that referenced this issue Jul 11, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
65b344c 
…s that respond with sensitive info.

Fixes smallstep#793
km274 added a commit to km274/certificates that referenced this issue Jul 12, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
0ea85e3 
…s that respond with sensitive info.

Fixes smallstep#793
km274 added a commit to km274/certificates that referenced this issue Jul 13, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
e15db84 
…s that respond with sensitive info.

Fixes smallstep#793
km274 added a commit to km274/certificates that referenced this issue Jul 13, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
48e72eb 
…s that respond with sensitive info.

Fixes smallstep#793
km274 added a commit to km274/certificates that referenced this issue Jul 20, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
2b8a417 
…s that respond with sensitive info.

Fixes smallstep#793
km274 added a commit to km274/certificates that referenced this issue Sep 15, 2023
@km274
Add Cache-Control: private, no-store HTTP header to server endpoint…
31ddf65 
…s that respond with sensitive info.

Fixes smallstep#793
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue quickfix
Projects
A Little Help From My Friends
Status: To do
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cache-Control HTTP header for server endpoints km274/certificates
2 participants
@tashian @dopey