satellite/console: Add Cache-Control headers

Set headers on the UI and API to not store cache for requests. Static content can still be cached by the browser. Caching for one hour also remains on a couple usage endpoints that require authentication. By default, Cache-Control=no-store is now set on all requests. It must be overridden in cases where caching is desireable. storj/storj-private#294 Change-Id: Icf2d466b1bce49f8917126028816844e43802faf
storj · Mar 15, 2024 · 93b545c · 93b545c
1 parent 0d9fa41
commit 93b545c
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/satellite/console/consoleweb/server.go b/satellite/console/consoleweb/server.go
@@ -262,6 +262,9 @@ func NewServer(logger *zap.Logger, config Config, service *console.Service, oidc
 	router.Use(newTraceRequestMiddleware(logger, router))
 
 	router.Use(requestid.AddToContext)
+	// by default, set Cache-Control=no-store for all requests
+	// if requests should be cached (e.g. static assets), the cache control header can be overridden
+	router.Use(cacheNoStoreMiddleware)
 
 	// limit body size
 	router.Use(newBodyLimiterMiddleware(logger.Named("body-limiter-middleware"), config.BodySizeLimit))
@@ -501,6 +504,9 @@ func NewFrontendServer(logger *zap.Logger, config Config, listener net.Listener,
 	// N.B. This middleware has to be the first one because it has to be called
 	// the earliest in the HTTP chain.
 	router.Use(newTraceRequestMiddleware(logger, router))
+	// by default, set Cache-Control=no-store for all requests
+	// if requests should be cached (e.g. static assets), the cache control header can be overridden
+	router.Use(cacheNoStoreMiddleware)
 
 	// in local development, proxy certain requests to the console back-end server
 	if config.BackendReverseProxy != "" {
@@ -577,6 +583,13 @@ func (server *Server) Close() error {
 	return server.server.Close()
 }
 
+func cacheNoStoreMiddleware(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
+		handler.ServeHTTP(w, r)
+	})
+}
+
 // setAppHeaders sets the necessary headers for requests to the app.
 func (server *Server) setAppHeaders(w http.ResponseWriter, r *http.Request) {
 	header := w.Header()