fix(security): prevent browser caching of dynamic pages

Add Cache-Control: no-store to all PHP-rendered pages so the browser
never serves a stale admin/auth page from its back-forward cache.
Static assets (CSS, JS, images) keep their 30-day expiry unchanged.

Uses fastcgi_hide_header to suppress PHP's default Cache-Control
before setting the definitive header via Nginx.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 19:37:13 +01:00
parent ad8f30cb09
commit 3053a77cde
2 changed files with 4 additions and 0 deletions

View File

@@ -22,6 +22,8 @@ server {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass php:9000;
fastcgi_hide_header Cache-Control;
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
}
location ~* \.mjs$ {

View File

@@ -46,6 +46,8 @@ server {
fastcgi_param HTTPS on;
fastcgi_param HTTP_X_FORWARDED_PROTO https;
fastcgi_pass php:9000;
fastcgi_hide_header Cache-Control;
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
}
location ~* \.mjs$ {