From 05ed40ea9b30d2c028a33cd8b36c468550979df4 Mon Sep 17 00:00:00 2001
From: Fabrice Rabaute <fabrice@arista.com>
Date: Fri, 27 Aug 2021 16:38:56 -0700
Subject: [PATCH] cache: Enforce no-caching on the client side

Adding http headers to enforce requests are not cached by the browser.
---
 server.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server.go b/server.go
index 28e8ad7e..07540f78 100644
--- a/server.go
+++ b/server.go
@@ -118,6 +118,9 @@ func (s *server) authenticate(w http.ResponseWriter, r *http.Request) {
 	logger := logger.ForRequest(r, logModuleInfo)
 	logger.Info("Authenticating request...")
 
+	// Enforce no caching on the browser side.
+	w.Header().Add("Cache-Control", "private, max-age=0, no-cache, no-store")
+
 	var user *authenticator.User
 	for i, auth := range s.authenticators {
 		if !s.enabledAuthenticator(authenticatorsMapping[i]) {
@@ -292,6 +295,9 @@ func (s *server) callback(w http.ResponseWriter, r *http.Request) {
 
 	logger := logger.ForRequest(r, logModuleInfo)
 
+	// Enforce no caching on the browser side.
+	w.Header().Add("Cache-Control", "private, max-age=0, no-cache, no-store")
+
 	// Get authorization code from authorization response.
 	var authCode = r.FormValue("code")
 	if len(authCode) == 0 {