Author: jleroux Date: Wed May 23 20:53:45 2018 New Revision: 1832128 URL: http://svn.apache.org/viewvc?rev=1832128&view=rev Log: Improved: Secure HTTP headers (OFBIZ-6766)
After reading https://www.fastly.com/blog/headers-we-dont-want and more in the Jira, only improves UtilHttp.setResponseBrowserProxyNoCache() by adding Cache-Control:private to avoid caching in proxy. Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java?rev=1832128&r1=1832127&r2=1832128&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Wed May 23 20:53:45 2018 @@ -977,8 +977,7 @@ public final class UtilHttp { long nowMillis = System.currentTimeMillis(); response.setDateHeader("Expires", nowMillis); response.setDateHeader("Last-Modified", nowMillis); // always modified - response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); // HTTP/1.1 - response.addHeader("Cache-Control", "post-check=0, pre-check=0, false"); + response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, private"); // HTTP/1.1 response.setHeader("Pragma", "no-cache"); // HTTP/1.0 }
