Add Cache-Control "no-store" to all dynamically generated content (#39550)
This one prevents accidental storing of dynamic content containing
potentially sensitive data in cache. The way we implemented it, we
check if the response already contains "Cache-Control" - if it does
then it means that this is a static content with default cache
control set by SEND_FILE_MAX_AGE_DEFAULT setting (43200 by default).
diff --git a/airflow/www/app.py b/airflow/www/app.py
index eb4362d..8af1069 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -44,6 +44,7 @@
from airflow.www.extensions.init_robots import init_robots
from airflow.www.extensions.init_security import (
init_api_experimental_auth,
+ init_cache_control,
init_check_user_active,
init_xframe_protection,
)
@@ -180,6 +181,7 @@
init_jinja_globals(flask_app)
init_xframe_protection(flask_app)
+ init_cache_control(flask_app)
init_airflow_session_interface(flask_app)
init_check_user_active(flask_app)
return flask_app
diff --git a/airflow/www/extensions/init_security.py b/airflow/www/extensions/init_security.py
index a7739e3..8bf2c29 100644
--- a/airflow/www/extensions/init_security.py
+++ b/airflow/www/extensions/init_security.py
@@ -66,6 +66,15 @@
raise AirflowException(err)
+def init_cache_control(app):
+ def apply_cache_control(response):
+ if "Cache-Control" not in response.headers:
+ response.headers["Cache-Control"] = "no-store"
+ return response
+
+ app.after_request(apply_cache_control)
+
+
def init_check_user_active(app):
@app.before_request
def check_user_active():
