[wp-trac] [WordPress Trac] #61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior
WordPress Trac
noreply at wordpress.org
Tue Aug 27 22:09:32 UTC 2024
#61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior
--------------------------+-----------------------------
Reporter: kkmuffme | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
https://core.trac.wordpress.org/ticket/21938
Added no-store, private to Cache-Control in WP 6.1 for logged in users.
However, since this ticket was more than a decade old and created in an
age before widespread reverse-proxying (CDNs), this is a problem: since
those can and will store responses that have no-cache (but not no-store):
https://developers.cloudflare.com/cache/concepts/cache-control/
Either by default or depending on the configuration.
Practically, not all actions are for logged in users - e.g. you have a
cart/checkout/thankyou page, which will end up in a proxy-cache bc of this
bug and could end up being served from cache incorrectly.
The no-store, private should be added for non-logged in users too/the user
logged in condition removed
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61942>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list