fix(security): add cache-control headers to token endpoints#2217
Closed
maxdinech wants to merge 2 commits intosupabase:masterfrom
Closed
fix(security): add cache-control headers to token endpoints#2217maxdinech wants to merge 2 commits intosupabase:masterfrom
maxdinech wants to merge 2 commits intosupabase:masterfrom
Conversation
…caching Token endpoints (password grant, refresh token, PKCE, MFA, etc.) were missing Cache-Control headers, allowing browsers to cache JWT tokens in memory. This violates RFC 6749 Section 5.1 which requires token responses to include 'Cache-Control: no-store'. Security Impact: - Browsers like Firefox cache token responses in about:cache - Attackers with physical access can extract cached JWT tokens - Leads to potential session hijacking Changes: - Add sendTokenJSON helper function with no-store cache headers - Update all token-returning endpoints to use sendTokenJSON - Covers password, refresh, PKCE, MFA, OIDC, Web3, anonymous, signup, and verify flows Fixes discovered during professional security audit (OWASP OTG-AUTHN-006).
hf
reviewed
Oct 29, 2025
Comment on lines
+23
to
+24
| w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate") | ||
| w.Header().Set("Pragma", "no-cache") |
Contributor
There was a problem hiding this comment.
These apply just in general to all Auth requests, so maybe it can be added as middleware?
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix - Security hardening
What is the current behavior?
Token endpoints (password grant, refresh token, PKCE, MFA, etc.) do not set
Cache-Controlheaders in their responses. This allows browsers to cache JWT token responses containing sensitive credentials.Security Impact:
about:cacheCache-Control: no-storeIssue discovered during professional security audit (OWASP OTG-AUTHN-006)
Affected endpoints:
/token?grant_type=password(password login)/token?grant_type=refresh_token(token refresh)/token?grant_type=pkce(OAuth PKCE flow)/token?grant_type=id_token(OIDC)/token?grant_type=web3(Web3 authentication)/verify(email/phone verification)/signup(user registration)What is the new behavior?
All token endpoints now return proper cache control headers:
Implementation:
sendTokenJSONhelper function ininternal/api/helpers.gosendTokenJSONinstead ofsendJSONBrowsers will no longer cache token responses, preventing exposure of JWT tokens through browser cache inspection.
Additional context
Testing performed:
make formatpassedmake vetpassedReferences:
This change affects all authentication flows but is backward compatible - it only adds headers, doesn't modify response bodies or behavior.