Skip to content

Prevent browser bfcache by default #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Prevent browser bfcache by default #82

wants to merge 2 commits into from

Conversation

clemblanco
Copy link

@clemblanco clemblanco commented Dec 16, 2022
edited
Loading

Back / forward cache seems to be a fairly recent feature browsers seem to rollout.

More information can be found here: https://web.dev/bfcache.

Long story short, when a user for example login then logout from a given application, they could then hit the "Back" button from their browser and access the login page again with the credentials pre-filled as the page would be served from the bfcache. This could lead to security concerns, especially on shared devices where someone could inspect the page and retrieve some user credentials.

Currently, the sensible defaults for the HTTP cache headers seem to be no-cache, private in order to be conservative by default. A lot of applications currently rely on this to be the sensible default for their application too.

Replacing no-cache by no-store would prevent bfcache to kick in from any browser and could be considered as a more secure default.

no-cache shows that returned responses can't be used for subsequent requests to the same URL before checking if server responses have changed. If a proper ETag (validation token) is present as a result, no-cache incurs a roundtrip in an effort to validate cached responses. Caches can however eliminate downloads if the resources haven't changed. In other words, web browsers might cache the assets but they have to check on every request if the assets have changed (304 response if nothing has changed).

On the contrary, no-store is simpler. This is the case because it disallows browsers and all intermediate caches from storing any versions of returned responses, such as responses containing private/personal information or banking data. Every time users request this asset, requests are sent to the server. The assets are downloaded every time.

More information can be found here: https://www.keycdn.com/blog/http-cache-headers#no-cache-and-no-store

The purpose of this PR is to start the discussion rather than bringing a definite solution.
@clemblanco
Update ResponseHeaderBag.php
cfdaa71 
Add no-store to the conservative default for Cache headers
@clemblanco
Replace no-cache with no-store
d348588 
Replace `no-cache` with `no-store` for a more secure conservative default.
@symfony-bot
Copy link

symfony-bot bot commented Dec 16, 2022

Thanks for your pull request! We love contributions.

However, this repository is what we call a "subtree split": a read-only copy of one directory of the main Symfony repository. It is used by Composer to allow developers to depend on specific Symfony components.

If you want to contribute, you should instead open a pull request on the main repository:

https://github.com/symfony/symfony

Thank you for your contribution!

PS: if you haven't already, please add tests, and beware that bug fixes should be submitted on the lowest maintained branch where they apply.
@clemblanco
Copy link
Author

Closing in favour of #48679
@clemblanco clemblanco closed this Dec 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@clemblanco