Middlware: Prevented caching of all app requests

Previously we'd prevent caching of authed responses for security (prevent back cache or proxy caching) but caching could still be an issue in non-auth scenarios due to CSRF (eg. returning to login screen after session expiry). For #4600
2025-07-30 04:23:11 +03:00 · 2023-10-23 13:32:15 +01:00
parent 9b4f1fb981
commit 7c4dc981cd
3 changed files with 12 additions and 11 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -15,6 +15,7 @@ class Kernel extends HttpKernel
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \BookStack\Http\Middleware\TrimStrings::class,
        \BookStack\Http\Middleware\TrustProxies::class,
+        \BookStack\Http\Middleware\PreventResponseCaching::class,
    ];

    /**
@ -30,7 +31,6 @@ class Kernel extends HttpKernel
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \BookStack\Http\Middleware\VerifyCsrfToken::class,
-            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
            \BookStack\Http\Middleware\RunThemeActions::class,
            \BookStack\Http\Middleware\Localization::class,
@ -40,7 +40,6 @@ class Kernel extends HttpKernel
            \BookStack\Http\Middleware\EncryptCookies::class,
            \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
            \BookStack\Http\Middleware\ApiAuthenticate::class,
-            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
        ],
    ];