webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-01-03 23:42:28 +03:00
Code Activity

Middlware: Prevented caching of all app requests

Browse Source 
Previously we'd prevent caching of authed responses for security
(prevent back cache or proxy caching) but caching could still be an
issue in non-auth scenarios due to CSRF (eg. returning to login screen after
session expiry).

For #4600
This commit is contained in:
Dan Brown
2023-10-23 13:32:15 +01:00
parent 9b4f1fb981
commit 7c4dc981cd
3 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
tests/SecurityHeaderTest.php
View File

@@ -139,12 +139,17 @@ class SecurityHeaderTest extends TestCase
$this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
}
public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
public function test_cache_control_headers_are_set_on_responses()
{
// Public access
$resp = $this->get('/');
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
// Authed access
$this->asEditor();
$resp = $this->get('/');
$resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
$resp->assertHeader('Pragma', 'no-cache');
$resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
$resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
}