asf-tooling opened a new issue, #954:
URL: https://github.com/apache/tooling-trusted-releases/issues/954
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The application lacks any global or blueprint-level middleware to enforce
anti-caching headers. While individual endpoints can set headers (as
demonstrated by `jwt_post`), there is no architectural enforcement mechanism.
This creates a systemic vulnerability where every new endpoint automatically
lacks protection unless developers manually remember to add headers. All four
blueprints define `before_request` hooks but none define `after_request` hooks
that would add security headers. Only ~6% of sensitive endpoints are protected
(1 out of ~16 endpoints), and every new endpoint added automatically lacks
anti-caching headers.
### Details
**Affected Files and Lines:**
- `atr/blueprints/api.py` - No after_request hook
- `atr/blueprints/admin.py` - No after_request hook
- `atr/blueprints/get.py` - No after_request hook
- `atr/blueprints/post.py` - No after_request hook
- `src/asfquart/generics.py` - No global middleware
This is a Type B gap with minimal coverage. The lack of architectural
enforcement means vulnerabilities are introduced by default rather than
requiring explicit mistakes.
### Recommended Remediation
Add application-wide `@app.after_request` hook to set security headers on
all responses:
```python
@app.after_request
async def add_cache_control_headers(response):
response.headers.setdefault('Cache-Control', 'no-store')
response.headers.setdefault('Pragma', 'no-cache')
return response
```
Alternatively, add per-blueprint `@_BLUEPRINT.after_request` hooks for
targeted enforcement. This is Priority 1 action that fixes all current and
future endpoints.
### Acceptance Criteria
- [ ] Global after_request hook implemented
- [ ] Cache-Control headers set on all responses
- [ ] Pragma header set for HTTP/1.0 compatibility
- [ ] Existing endpoints verified to receive headers
- [ ] New endpoints automatically protected
- [ ] Unit test verifying the fix
### References
- Source reports: L2:14.3.2.md
- Related findings: FINDING-047, FINDING-048, FINDING-049, FINDING-191
- ASVS sections: 14.3.2
### Priority
Critical
---
---
**Triage notes:** either make a separate blueprint for protected endpoints
or take the advice
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
