Changeset 59724 for trunk/src/wp-includes/functions.php

Timestamp:

01/28/2025 11:20:48 PM (13 months ago)

Author:

johnbillion

Message:

Security: Always include the no-store and private directives in the Cache-Control header when setting headers that prevent caching.

The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users.

This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.

Props kkmuffme, devansh2002, johnbillion.

Fixes #61942

File:

• trunk/src/wp-includes/functions.php (modified) (1 diff)

trunk/src/wp-includes/functions.php

@@ -1490 +1490 @@
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers.
+ * is handled by different browsers or intermediate caches such as proxy servers.
  *
  * @since 2.8.0
  * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
  *              `no-store` and `private` directives.
+ * @since 6.8.0 The `Cache-Control` header now includes the `no-store` and `private`
+ *              directives regardless of whether a user is logged in.
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
-    $cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
-        ? 'no-cache, must-revalidate, max-age=0, no-store, private'
-        : 'no-cache, must-revalidate, max-age=0';
+    $cache_control = 'no-cache, must-revalidate, max-age=0, no-store, private';
 
     $headers = array(