fix(security): prevent browser caching of dynamic pages
Add Cache-Control: no-store to all PHP-rendered pages so the browser never serves a stale admin/auth page from its back-forward cache. Static assets (CSS, JS, images) keep their 30-day expiry unchanged. Uses fastcgi_hide_header to suppress PHP's default Cache-Control before setting the definitive header via Nginx. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -22,6 +22,8 @@ server {
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_pass php:9000;
|
||||
fastcgi_hide_header Cache-Control;
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
|
||||
}
|
||||
|
||||
location ~* \.mjs$ {
|
||||
|
||||
@@ -46,6 +46,8 @@ server {
|
||||
fastcgi_param HTTPS on;
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO https;
|
||||
fastcgi_pass php:9000;
|
||||
fastcgi_hide_header Cache-Control;
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
|
||||
}
|
||||
|
||||
location ~* \.mjs$ {
|
||||
|
||||
Reference in New Issue
Block a user