Security: add HTTP headers to prevent browsers from caching responses #662

57c2af4f · Cam Saul · 8992908e · 57c2af4f · 57c2af4f · 57c2af4f
Commit 57c2af4f authored 9 years ago by Cam Saul
--- a/src/metabase/core.clj
+++ b/src/metabase/core.clj
@@ -46,11 +46,11 @@
              (s/replace #"/$" "")) ; strip off trailing slash if one was included
      (-site-url (or origin host))))

-
 (def app
  "The primary entry point to the HTTP server"
  (-> routes/routes
      (log-api-call :request :response)
+      add-security-headers         ; [METABASE] Add HTTP headers to API responses to prevent them from being cached
      format-response              ; [METABASE] Do formatting before converting to JSON so serializer doesn't barf
      (wrap-json-body              ; extracts json POST body and makes it avaliable on request
        {:keywords? true})

--- a/src/metabase/middleware/format.clj
+++ b/src/metabase/middleware/format.clj
@@ -3,6 +3,7 @@
            (cheshire factory
                      [generate :refer [add-encoder encode-str]])
            [medley.core :refer [filter-vals map-vals]]
+            [metabase.middleware.log-api-call :refer [api-call?]]
            [metabase.models.interface :refer [api-serialize]]
            [metabase.util :as util]))

@@ -32,6 +33,15 @@
 (add-encoder java.sql.Date (fn [^java.sql.Date date ^com.fasterxml.jackson.core.JsonGenerator json-generator]
                             (.writeString json-generator (.toString date))))

+(defn add-security-headers
+  "Add HTTP headers to tell browsers not to cache API responses."
+  [handler]
+  (fn [request]
+    (let [response (handler request)]
+      (update response :headers merge (when (api-call? request)
+                                        {"Cache-Control" "max-age=0, no-cache, must-revalidate, proxy-revalidate"
+                                         "Expires"       "Tue, 03 Jul 2001 06:00:00 GMT" ; rando date in the past
+                                         "Last-Modified" "{now} GMT"})))))

 ;; ## FORMAT RESPONSE MIDDLEWARE
 (defn format-response

--- a/src/metabase/middleware/log_api_call.clj
+++ b/src/metabase/middleware/log_api_call.clj
@@ -50,7 +50,7 @@
                    (log-response request response elapsed-time))
                  response))))))

-(defn- api-call?
+(defn api-call?
  "Is this ring request an API call (does path start with `/api`)?"
  [{:keys [^String uri]}]
  (and (>= (count uri) 4)