From 3053a77cde16aa3a93a709fa34613b2df33b9295 Mon Sep 17 00:00:00 2001 From: fs Date: Fri, 13 Mar 2026 19:37:13 +0100 Subject: [PATCH] fix(security): prevent browser caching of dynamic pages Add Cache-Control: no-store to all PHP-rendered pages so the browser never serves a stale admin/auth page from its back-forward cache. Static assets (CSS, JS, images) keep their 30-day expiry unchanged. Uses fastcgi_hide_header to suppress PHP's default Cache-Control before setting the definitive header via Nginx. Co-Authored-By: Claude Opus 4.6 --- docker/nginx/default.conf | 2 ++ docker/nginx/prod.conf | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf index 1cf386a..e6bd8f6 100644 --- a/docker/nginx/default.conf +++ b/docker/nginx/default.conf @@ -22,6 +22,8 @@ server { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php:9000; + fastcgi_hide_header Cache-Control; + add_header Cache-Control "no-store, no-cache, must-revalidate, private" always; } location ~* \.mjs$ { diff --git a/docker/nginx/prod.conf b/docker/nginx/prod.conf index de3ab0a..d8c2221 100644 --- a/docker/nginx/prod.conf +++ b/docker/nginx/prod.conf @@ -46,6 +46,8 @@ server { fastcgi_param HTTPS on; fastcgi_param HTTP_X_FORWARDED_PROTO https; fastcgi_pass php:9000; + fastcgi_hide_header Cache-Control; + add_header Cache-Control "no-store, no-cache, must-revalidate, private" always; } location ~* \.mjs$ {