Opened 7 weeks ago
Last modified 6 weeks ago
#61942 new defect (bug)
Add "no-store" to Cache-Control header to prevent unexpected cache behavior
Reported by: | kkmuffme | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
https://core.trac.wordpress.org/ticket/21938
Added no-store, private to Cache-Control in WP 6.1 for logged in users.
However, since this ticket was more than a decade old and created in an age before widespread reverse-proxying (CDNs), this is a problem: since those can and will store responses that have no-cache (but not no-store): https://developers.cloudflare.com/cache/concepts/cache-control/
Either by default or depending on the configuration.
Practically, not all actions are for logged in users - e.g. you have a cart/checkout/thankyou page, which will end up in a proxy-cache bc of this bug and could end up being served from cache incorrectly.
The no-store, private should be added for non-logged in users too/the user logged in condition removed
Change History (2)
This ticket was mentioned in PR #7257 on WordPress/wordpress-develop by @devansh2002.
7 weeks ago
#1
- Keywords has-patch added
Remove logged-in check for no-store, private Cache-Control
Trac ticket: https://core.trac.wordpress.org/ticket/61942