diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-24 10:13:23 +0300 |
---|---|---|
committer | Thiago Presa <tpresa@gitlab.com> | 2018-10-25 03:40:23 +0300 |
commit | dadc35390b5f01a61334eda9e68d858685789ef4 (patch) | |
tree | 19a62beff68b78e95b974b2b8a80356f94b21bb3 /app | |
parent | fd080530e5de0e890eccfc917d4ba40c0b40c564 (diff) |
Merge branch 'security-fix/control-headers-11-3' into 'security-11-3'
: [11.3] Resolve "Sensitive information is stored in browser history"
See merge request gitlab/gitlabhq!2561
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/application_controller.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7e2b2cf3ad3..17957d1048f 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -41,6 +41,8 @@ class ApplicationController < ActionController::Base :git_import_enabled?, :gitlab_project_import_enabled?, :manifest_import_enabled? + DEFAULT_GITLAB_CACHE_CONTROL = "#{ActionDispatch::Http::Cache::Response::DEFAULT_CACHE_CONTROL}, no-store".freeze + rescue_from Encoding::CompatibilityError do |exception| log_exception(exception) render "errors/encoding", layout: "errors", status: 500 @@ -231,6 +233,13 @@ class ApplicationController < ActionController::Base headers['X-XSS-Protection'] = '1; mode=block' headers['X-UA-Compatible'] = 'IE=edge' headers['X-Content-Type-Options'] = 'nosniff' + + if current_user + # Adds `no-store` to the DEFAULT_CACHE_CONTROL, to prevent security + # concerns due to caching private data. + headers['Cache-Control'] = DEFAULT_GITLAB_CACHE_CONTROL + headers["Pragma"] = "no-cache" # HTTP 1.0 compatibility + end end def validate_user_service_ticket! |