[wp-trac] [WordPress Trac] #61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior

WordPress Trac noreply at wordpress.org
Tue Aug 27 22:09:32 UTC 2024


#61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior
--------------------------+-----------------------------
 Reporter:  kkmuffme      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Security      |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 https://core.trac.wordpress.org/ticket/21938

 Added no-store, private to Cache-Control in WP 6.1 for logged in users.
 However, since this ticket was more than a decade old and created in an
 age before widespread reverse-proxying (CDNs), this is a problem: since
 those can and will store responses that have no-cache (but not no-store):
 https://developers.cloudflare.com/cache/concepts/cache-control/
 Either by default or depending on the configuration.

 Practically, not all actions are for logged in users - e.g. you have a
 cart/checkout/thankyou page, which will end up in a proxy-cache bc of this
 bug and could end up being served from cache incorrectly.

 The no-store, private should be added for non-logged in users too/the user
 logged in condition removed

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61942>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list