Return a no-store Cache-Control header for newNonce (#4908)

The spec specifies (https://tools.ietf.org/html/rfc8555#section-7.2) that a `no-store` Cache-Control header is required in response to getting a new nonce. This PR makes that change specifically but does not modify other uses of the `no-cache` directive. Fixes #4727
2020-06-26 14:02:27 -05:00 · 2020-06-26 14:02:27 -05:00 · 203ec13750
parent edee82d572
commit 203ec13750
2 changed files with 11 additions and 1 deletions
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@ -515,12 +515,17 @@ func (wfe *WebFrontEndImpl) Nonce(
 	}

 	statusCode := http.StatusNoContent
-	// The ACME specification says GET requets should receive http.StatusNoContent
+	// The ACME specification says GET requests should receive http.StatusNoContent
 	// and HEAD/POST-as-GET requests should receive http.StatusOK.
 	if request.Method != "GET" {
 		statusCode = http.StatusOK
 	}
 	response.WriteHeader(statusCode)
+
+	// The ACME specification says the server MUST include a Cache-Control header
+	// field with the "no-store" directive in responses for the newNonce resource,
+	// in order to prevent caching of this resource.
+	response.Header().Set("Cache-Control", "no-store")
 }

 // sendError wraps web.SendError
--- a/wfe2/wfe_test.go
+++ b/wfe2/wfe_test.go
@ -905,6 +905,11 @@ func TestNonceEndpoint(t *testing.T) {
 			// And the response should contain a valid nonce in the Replay-Nonce header
 			nonce := responseWriter.Header().Get("Replay-Nonce")
 			test.AssertEquals(t, wfe.nonceService.Valid(nonce), true)
+			// The server MUST include a Cache-Control header field with the "no-store"
+			// directive in responses for the newNonce resource, in order to prevent
+			// caching of this resource.
+			cacheControl := responseWriter.Header().Get("Cache-Control")
+			test.AssertEquals(t, cacheControl, "no-store")
 		})
 	}
 }