Merge pull request #15293 from craftcms/feature/no-cache-csrf-on-get

Don't cache responses if getCsrfToken is called
craftcms · Jul 4, 2024 · 427fabe · 427fabe
2 parents 3c6df36 + f14c6b4
commit 427fabe
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 4
 
+## Unreleased
+
+- Craft now sends no-cache headers for any request that calls `craft\web\Request::getCsrfToken()`. ([#15293](https://github.com/craftcms/cms/pull/15293), [#15281](https://github.com/craftcms/cms/pull/15281))
+
 ## 4.10.4 - 2024-07-02
 
 - Craft now sends no-cache headers for any request that generates a CSRF token. ([#15281](https://github.com/craftcms/cms/pull/15281), [verbb/formie#1963](https://github.com/verbb/formie/issues/1963))

diff --git a/src/web/Request.php b/src/web/Request.php
@@ -1281,6 +1281,9 @@ protected function loadRawCookies(): array
      */
     public function getCsrfToken($regenerate = false): string
     {
+        // Ensure the response is not cached by the browser or static cache proxies.
+        Craft::$app->getResponse()->setNoCacheHeaders();
+
         if (!isset($this->_craftCsrfToken) || $regenerate) {
             $token = $this->loadCsrfToken();