fix(security): prevent browser caching of dynamic pages
Add Cache-Control: no-store to all PHP-rendered pages so the browser never serves a stale admin/auth page from its back-forward cache. Static assets (CSS, JS, images) keep their 30-day expiry unchanged. Uses fastcgi_hide_header to suppress PHP's default Cache-Control before setting the definitive header via Nginx. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -22,6 +22,8 @@ server {
|
|||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
fastcgi_pass php:9000;
|
fastcgi_pass php:9000;
|
||||||
|
fastcgi_hide_header Cache-Control;
|
||||||
|
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* \.mjs$ {
|
location ~* \.mjs$ {
|
||||||
|
|||||||
@@ -46,6 +46,8 @@ server {
|
|||||||
fastcgi_param HTTPS on;
|
fastcgi_param HTTPS on;
|
||||||
fastcgi_param HTTP_X_FORWARDED_PROTO https;
|
fastcgi_param HTTP_X_FORWARDED_PROTO https;
|
||||||
fastcgi_pass php:9000;
|
fastcgi_pass php:9000;
|
||||||
|
fastcgi_hide_header Cache-Control;
|
||||||
|
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* \.mjs$ {
|
location ~* \.mjs$ {
|
||||||
|
|||||||
Reference in New Issue
Block a user