Skip to content

Commit

Permalink
Add Cache-Control: private, no-store HTTP header to server endpoint…
Browse files Browse the repository at this point in the history
…s that respond with sensitive info.

Fixes #793
  • Loading branch information
km274 committed Jul 11, 2023
1 parent d39a285 commit 65b344c
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 0 deletions.
2 changes: 2 additions & 0 deletions acme/api/account.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
linker.LinkAccount(ctx, acc)

w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
w.Header().Set("Cache-Control", "private, no-store")
render.JSONStatus(w, acc, httpStatus)
}

Expand Down Expand Up @@ -212,6 +213,7 @@ func GetOrUpdateAccount(w http.ResponseWriter, r *http.Request) {
linker.LinkAccount(ctx, acc)

w.Header().Set("Location", linker.GetLink(ctx, acme.AccountLinkType, acc.ID))
w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, acc)
}

Expand Down
2 changes: 2 additions & 0 deletions acme/api/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,7 @@ func GetAuthorization(w http.ResponseWriter, r *http.Request) {
linker.LinkAuthorization(ctx, az)

w.Header().Set("Location", linker.GetLink(ctx, acme.AuthzLinkType, az.ID))
w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, az)
}

Expand Down Expand Up @@ -359,6 +360,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {

w.Header().Add("Link", link(linker.GetLink(ctx, acme.AuthzLinkType, azID), "up"))
w.Header().Set("Location", linker.GetLink(ctx, acme.ChallengeLinkType, azID, ch.ID))
w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, ch)
}

Expand Down
2 changes: 2 additions & 0 deletions api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,7 @@ func Provisioners(w http.ResponseWriter, r *http.Request) {
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, &ProvisionersResponse{
Provisioners: p,
NextCursor: next,
Expand All @@ -394,6 +395,7 @@ func ProvisionerKey(w http.ResponseWriter, r *http.Request) {
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, &ProvisionerKeyResponse{key})
}

Expand Down
8 changes: 8 additions & 0 deletions authority/admin/api/provisioner.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ func GetProvisioner(w http.ResponseWriter, r *http.Request) {
render.Error(w, err)
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.ProtoJSON(w, prov)
}

Expand All @@ -72,6 +74,8 @@ func GetProvisioners(w http.ResponseWriter, r *http.Request) {
render.Error(w, errs.InternalServerErr(err))
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.JSON(w, &GetProvisionersResponse{
Provisioners: p,
NextCursor: next,
Expand Down Expand Up @@ -102,6 +106,8 @@ func CreateProvisioner(w http.ResponseWriter, r *http.Request) {
render.Error(w, admin.WrapErrorISE(err, "error storing provisioner %s", prov.Name))
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.ProtoJSONStatus(w, prov, http.StatusCreated)
}

Expand Down Expand Up @@ -198,6 +204,8 @@ func UpdateProvisioner(w http.ResponseWriter, r *http.Request) {
render.Error(w, err)
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.ProtoJSON(w, nu)
}

Expand Down
3 changes: 3 additions & 0 deletions authority/admin/api/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
return
}

w.Header().Set("Cache-Control", "private, no-store")
render.ProtoJSONStatus(w, newWebhook, http.StatusCreated)
}

Expand Down Expand Up @@ -231,5 +232,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
Auth: newWebhook.Auth,
DisableTlsClientAuth: newWebhook.DisableTlsClientAuth,
}

w.Header().Set("Cache-Control", "private, no-store")
render.ProtoJSONStatus(w, whResponse, http.StatusCreated)
}
1 change: 1 addition & 0 deletions scep/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -359,6 +359,7 @@ func writeResponse(w http.ResponseWriter, res Response) {
}

w.Header().Set("Content-Type", contentHeader(res))
w.Header().Set("Cache-Control", "private, no-store")
_, _ = w.Write(res.Data)
}

Expand Down

0 comments on commit 65b344c

Please sign in to comment.