From d63251baf4b6166a34c3529e70dcfc5e0854a22c Mon Sep 17 00:00:00 2001
From: Fabrice Rabaute <fabrice@arista.com>
Date: Fri, 27 Aug 2021 16:38:56 -0700
Subject: [PATCH] cache: Enforce no-caching on the client side

Adding http headers to enforce requests are not cached by the browser.
---
 server.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server.go b/server.go
index 291d85b9..46924d19 100644
--- a/server.go
+++ b/server.go
@@ -177,6 +177,9 @@ func (s *server) authenticate(w http.ResponseWriter, r *http.Request, promptLogi
 	logger := common.LoggerForRequest(r, logModuleInfo)
 	logger.Info("Authenticating request...")
 
+	// Enforce no caching on the browser side.
+	w.Header().Add("Cache-Control", "private, max-age=0, no-cache, no-store")
+
 	// Try each one of the available enabled authenticators, if none of them
 	// achieves to authenticate the request then userInfo will be nil and
 	// Authorization Code Flow will begin.
@@ -374,6 +377,9 @@ func (s *server) callback(w http.ResponseWriter, r *http.Request) {
 
 	logger := common.LoggerForRequest(r, logModuleInfo)
 
+	// Enforce no caching on the browser side.
+	w.Header().Add("Cache-Control", "private, max-age=0, no-cache, no-store")
+
 	// Get authorization code from authorization response.
 	var authCode = r.FormValue("code")
 	if len(authCode) == 0 {