BookStack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php
Dan Brown 41ac69adb1
Forced response cache revalidation on logged-in responses
- Prevents authenticated responses being visible when back button
  pressed in browser.
- Previously, 'no-cache, private' was added by default by Symfony which
  would have prevents proxy cache issues but this adds no-store and a
  max-age option to also invalidate all caching.

Thanks to @haxatron via huntr.dev
Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/
2021-10-08 15:22:09 +01:00

31 lines
746 B
PHP

<?php
namespace BookStack\Http\Middleware;
use Closure;
use Symfony\Component\HttpFoundation\Response;
class PreventAuthenticatedResponseCaching
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
/** @var Response $response */
$response = $next($request);
if (signedInUser()) {
$response->headers->set('Cache-Control', 'max-age=0, no-store, private');
$response->headers->set('Pragma', 'no-cache');
$response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
}
return $response;
}
}