From 203ec1375018b24e45cd911509cf4d87dfce022a Mon Sep 17 00:00:00 2001
From: Matt Drollette <matt@drollette.com>
Date: Fri, 26 Jun 2020 14:02:27 -0500
Subject: [PATCH] Return a no-store Cache-Control header for newNonce (#4908)

The spec specifies (https://tools.ietf.org/html/rfc8555#section-7.2)
that a `no-store` Cache-Control header is required in response to
getting a new nonce. This PR makes that change specifically but does
not modify other uses of the `no-cache` directive.

Fixes #4727
---
 wfe2/wfe.go      | 7 ++++++-
 wfe2/wfe_test.go | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/wfe2/wfe.go b/wfe2/wfe.go
index 4af92e927..caf509007 100644
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@@ -515,12 +515,17 @@ func (wfe *WebFrontEndImpl) Nonce(
 	}
 
 	statusCode := http.StatusNoContent
-	// The ACME specification says GET requets should receive http.StatusNoContent
+	// The ACME specification says GET requests should receive http.StatusNoContent
 	// and HEAD/POST-as-GET requests should receive http.StatusOK.
 	if request.Method != "GET" {
 		statusCode = http.StatusOK
 	}
 	response.WriteHeader(statusCode)
+
+	// The ACME specification says the server MUST include a Cache-Control header
+	// field with the "no-store" directive in responses for the newNonce resource,
+	// in order to prevent caching of this resource.
+	response.Header().Set("Cache-Control", "no-store")
 }
 
 // sendError wraps web.SendError
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
index 77ca0d69b..4f52aeffe 100644
--- a/wfe2/wfe_test.go
+++ b/wfe2/wfe_test.go
@@ -905,6 +905,11 @@ func TestNonceEndpoint(t *testing.T) {
 			// And the response should contain a valid nonce in the Replay-Nonce header
 			nonce := responseWriter.Header().Get("Replay-Nonce")
 			test.AssertEquals(t, wfe.nonceService.Valid(nonce), true)
+			// The server MUST include a Cache-Control header field with the "no-store"
+			// directive in responses for the newNonce resource, in order to prevent
+			// caching of this resource.
+			cacheControl := responseWriter.Header().Get("Cache-Control")
+			test.AssertEquals(t, cacheControl, "no-store")
 		})
 	}
 }