http: add cache-control headers to prevent caching by other proxies elsewhere

lib/action/block.go

@@ -28,7 +28,9 @@ func (a Block) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Reques
 	data := challenge.RequestDataFromContext(r.Context())
 
 	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 	w.Header().Set("Connection", "close")
+
 	data.ResponseHeaders(w)
 	w.WriteHeader(a.Code)
 	_, _ = w.Write([]byte(fmt.Errorf("access blocked: blocked by administrative rule %s/%s", data.Id.String(), a.RuleHash).Error()))

lib/action/code.go

@@ -42,7 +42,11 @@ type CodeSettings struct {
 type Code int
 
 func (a Code) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request, done func() (backend http.Handler)) (next bool, err error) {
-	challenge.RequestDataFromContext(r.Context()).ResponseHeaders(w)
+	data := challenge.RequestDataFromContext(r.Context())
+
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+
+	data.ResponseHeaders(w)
 
 	w.WriteHeader(int(a))
 	return false, nil

lib/action/drop.go

@@ -33,6 +33,8 @@ func (a Drop) Handle(logger *slog.Logger, w http.ResponseWriter, r *http.Request
 	w.Header().Set("Content-Type", "text/plain")
 	w.Header().Set("Content-Length", "0")
 	w.Header().Set("Connection", "close")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+
 	w.WriteHeader(http.StatusForbidden)
 
 	return false, nil

lib/challenge/preload-link/preload-link.go

@@ -101,6 +101,7 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 
 	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 		w.Header().Set("Content-Length", "0")
 
 		data := challenge.RequestDataFromContext(r.Context())

lib/challenge/resource-load/resource-load.go

@@ -48,6 +48,7 @@ func FillRegistrationHeader(state challenge.StateInterface, reg *challenge.Regis
 	mux.HandleFunc("GET "+reg.Path+challenge.VerifyChallengeUrlSuffix, challenge.VerifyHandlerFunc(state, reg, nil, func(state challenge.StateInterface, data *challenge.RequestData, w http.ResponseWriter, r *http.Request, verifyResult challenge.VerifyResult, err error, redirect string) {
 		//TODO: add other types inside css that need to be loaded!
 		w.Header().Set("Content-Type", "text/css; charset=utf-8")
+		w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 		w.Header().Set("Content-Length", "0")
 
 		data.ResponseHeaders(w)

lib/challenge/wasm/registration.go

@@ -164,6 +164,7 @@ func FillJavaScriptRegistration(state challenge.StateInterface, reg *challenge.R
 				w.Header()[k] = v
 			}
 			w.Header().Set("Content-Length", fmt.Sprintf("%d", len(out.Data)))
+			w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 			data.ResponseHeaders(w)
 			w.WriteHeader(out.Code)

lib/template.go

@@ -100,6 +100,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 	state.addCachedTags(data, r, input)
 
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 	buf := bytes.NewBuffer(make([]byte, 0, 8192))
 
@@ -116,6 +117,7 @@ func (state *State) ChallengePage(w http.ResponseWriter, r *http.Request, status
 func (state *State) ErrorPage(w http.ResponseWriter, r *http.Request, status int, err error, redirect string) {
 	data := challenge.RequestDataFromContext(r.Context())
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
 
 	buf := bytes.NewBuffer(make([]byte, 0, 8192))