From 6032ac0b7883de70b0269fbba067fcd2b0536e0d Mon Sep 17 00:00:00 2001 From: WeebDataHoarder Date: Tue, 13 May 2025 23:48:21 +0200 Subject: [PATCH] http: add cache-control headers to prevent caching by other proxies elsewhere --- lib/action/block.go | 2 ++ lib/action/code.go | 6 +++++- lib/action/drop.go | 2 ++ lib/challenge/preload-link/preload-link.go | 1 + lib/challenge/resource-load/resource-load.go | 1 + lib/challenge/wasm/registration.go | 1 + lib/template.go | 2 ++ 7 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/action/block.go b/lib/action/block.go index bfcc7d9..5a0f293 100644 --- a/lib/action/block.go +++ b/lib/action/block.go @@ -28,7 +28,9 @@ func (a Block) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Reques data := challenge.RequestDataFromContext(r.Context()) w.Header().Set("Content-Type", "text/plain") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") w.Header().Set("Connection", "close") + data.ResponseHeaders(w) w.WriteHeader(a.Code) _, _ = w.Write([]byte(fmt.Errorf("access blocked: blocked by administrative rule %s/%s", data.Id.String(), a.RuleHash).Error())) diff --git a/lib/action/code.go b/lib/action/code.go index 40f04f3..9a46667 100644 --- a/lib/action/code.go +++ b/lib/action/code.go @@ -42,7 +42,11 @@ type CodeSettings struct { type Code int func (a Code) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) { - challenge.RequestDataFromContext(r.Context()).ResponseHeaders(w) + data := challenge.RequestDataFromContext(r.Context()) + + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") + + data.ResponseHeaders(w) w.WriteHeader(int(a)) return false, nil diff --git a/lib/action/drop.go b/lib/action/drop.go index c92a497..1c4a14f 100644 --- a/lib/action/drop.go +++ b/lib/action/drop.go @@ -33,6 +33,8 @@ func (a Drop) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request w.Header().Set("Content-Type", "text/plain") w.Header().Set("Content-Length", "0") w.Header().Set("Connection", "close") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") + w.WriteHeader(http.StatusForbidden) return false, nil diff --git a/lib/challenge/preload-link/preload-link.go b/lib/challenge/preload-link/preload-link.go index b86df30..254b407 100644 --- a/lib/challenge/preload-link/preload-link.go +++ b/lib/challenge/preload-link/preload-link.go @@ -101,6 +101,7 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/css; charset=utf-8") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") w.Header().Set("Content-Length", "0") data := challenge.RequestDataFromContext(r.Context()) diff --git a/lib/challenge/resource-load/resource-load.go b/lib/challenge/resource-load/resource-load.go index be0a19d..1771cf3 100644 --- a/lib/challenge/resource-load/resource-load.go +++ b/lib/challenge/resource-load/resource-load.go @@ -48,6 +48,7 @@ func FillRegistrationHeader(state challenge.StateInterface, reg *challenge.Regis mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, func(state challenge.StateInterface, data *challenge.RequestData, w http.ResponseWriter, r *http.Request, verifyResult challenge.VerifyResult, err error, redirect string) { //TODO: add other types inside css that need to be loaded! w.Header().Set("Content-Type", "text/css; charset=utf-8") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") w.Header().Set("Content-Length", "0") data.ResponseHeaders(w) diff --git a/lib/challenge/wasm/registration.go b/lib/challenge/wasm/registration.go index 92139ca..4e9880e 100644 --- a/lib/challenge/wasm/registration.go +++ b/lib/challenge/wasm/registration.go @@ -164,6 +164,7 @@ func FillJavaScriptRegistration(state challenge.StateInterface, reg *challenge.R w.Header()[k] = v } w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out.Data))) + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") data.ResponseHeaders(w) w.WriteHeader(out.Code) diff --git a/lib/template.go b/lib/template.go index 5442de6..b5c731c 100644 --- a/lib/template.go +++ b/lib/template.go @@ -100,6 +100,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status state.addCachedTags(data, r, input) w.Header().Set("Content-Type", "text/html; charset=utf-8") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") buf := bytes.NewBuffer(make([]byte, 0, 8192)) @@ -116,6 +117,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status func (state *State) ErrorPage(w http.ResponseWriter, r *http.Request, status int, err error, redirect string) { data := challenge.RequestDataFromContext(r.Context()) w.Header().Set("Content-Type", "text/html; charset=utf-8") + w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate") buf := bytes.NewBuffer(make([]byte, 0, 8192))