The application has not implemented proper Cache-Control header throughout the application

adnan.khan · July 17, 2024, 1:51pm

Hi,

Jmix version : ‘1.5.0’ JDK 11

The application should return caching directives instructing application not to store
local copies of any sensitive data. Often, this can be achieved by configuring the
web server to prevent caching for relevant paths within the web root. Ideally, the
web server should return the following HTTP headers in all responses containing
sensitive content:
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache

tried adding below code still getting Cache-Control, "no-store" | pragma, "no-cache"



http
                .authorizeRequests()
                .antMatchers("/vaadinServlet/PUSH/**").denyAll() // Define your URL patterns here
                .and()
                .headers()
                .cacheControl().disable() // Disable caching globally
                .addHeaderWriter((request, response) -> {
                    response.setHeader(HttpHeaders.CACHE_CONTROL, "no-store, no-cache, must-revalidate, max-age=0");
                    response.setHeader(HttpHeaders.PRAGMA, "no-cache");
                    response.setHeader(HttpHeaders.EXPIRES, "0");
                })
                .and()
                .csrf().disable();

adnan.khan · July 18, 2024, 10:04am

added below code also

 http
                // ...
                .headers()
                .defaultsDisabled()
                .cacheControl();
        return http.build();

but i am only getting

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache

missing header from response max-age=0, post-check=0, pre-check=0