diff options
| author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 16:09:43 +0000 |
|---|---|---|
| committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 16:09:43 +0000 |
| commit | f0b3edf2ca9f7f1dd64d3b17eda006ab9983cfc4 (patch) | |
| tree | 759c00bd27a3d6898d033976f9b2f166b4821812 /app/controllers | |
| parent | d3cd569bc60f81613c700e64e7ee5b469e32a4ac (diff) | |
| parent | 0b93f8cddedc3d2baea84b7694ecbd1aa3fcaa99 (diff) | |
| download | gitlab-ce-f0b3edf2ca9f7f1dd64d3b17eda006ab9983cfc4.tar.gz | |
Merge branch 'fix/control-headers' into 'master'
[master] Resolve "Sensitive information is stored in browser history"
See merge request gitlab/gitlabhq!2555
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index eeabcc0c9bb..7f4aa8244ac 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -46,6 +46,8 @@ class ApplicationController < ActionController::Base :git_import_enabled?, :gitlab_project_import_enabled?, :manifest_import_enabled? + DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store".freeze + rescue_from Encoding::CompatibilityError do |exception| log_exception(exception) render "errors/encoding", layout: "errors", status: 500 @@ -244,6 +246,13 @@ class ApplicationController < ActionController::Base headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' headers['X-Content-Type-Options'] = 'nosniff' + + if current_user + # Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security + # concerns due to caching private data. + headers['Cache-Control'] = DEFAULT_GITLAB_CACHE_CONTROL + headers["Pragma"] = "no-cache" # HTTP 1.0 compatibility + end end def validate_user_service_ticket! |