letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Return a no-store Cache-Control header for newNonce (#4908) 

The spec specifies (https://tools.ietf.org/html/rfc8555#section-7.2)
that a `no-store` Cache-Control header is required in response to
getting a new nonce. This PR makes that change specifically but does
not modify other uses of the `no-cache` directive.

Fixes #4727
This commit is contained in:
Matt Drollette 2020-06-26 14:02:27 -05:00 committed by GitHub
parent edee82d572
commit 203ec13750
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
wfe2/wfe.go
View File

@ -515,12 +515,17 @@ func (wfe *WebFrontEndImpl) Nonce(
} }
statusCode := http.StatusNoContent statusCode := http.StatusNoContent
// The ACME specification says GET requets should receive http.StatusNoContent // The ACME specification says GET requests should receive http.StatusNoContent
// and HEAD/POST-as-GET requests should receive http.StatusOK. // and HEAD/POST-as-GET requests should receive http.StatusOK.
if request.Method != "GET" { if request.Method != "GET" {
statusCode = http.StatusOK statusCode = http.StatusOK
} }
response.WriteHeader(statusCode) response.WriteHeader(statusCode)
// The ACME specification says the server MUST include a Cache-Control header
// field with the "no-store" directive in responses for the newNonce resource,
// in order to prevent caching of this resource.
response.Header().Set("Cache-Control", "no-store")
} }
// sendError wraps web.SendError // sendError wraps web.SendError

5
wfe2/wfe_test.go
View File

@ -905,6 +905,11 @@ func TestNonceEndpoint(t *testing.T) {
// And the response should contain a valid nonce in the Replay-Nonce header // And the response should contain a valid nonce in the Replay-Nonce header
nonce := responseWriter.Header().Get("Replay-Nonce") nonce := responseWriter.Header().Get("Replay-Nonce")
test.AssertEquals(t, wfe.nonceService.Valid(nonce), true) test.AssertEquals(t, wfe.nonceService.Valid(nonce), true)
// The server MUST include a Cache-Control header field with the "no-store"
// directive in responses for the newNonce resource, in order to prevent
// caching of this resource.
cacheControl := responseWriter.Header().Get("Cache-Control")
test.AssertEquals(t, cacheControl, "no-store")
}) })
} }
} }