fix(security): explicitly set cache-control 'private' on any page where a header is built

src/middleware/admin.js

@@ -25,6 +25,8 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 	if (req.method === 'GET') {
 		await require('./index').applyCSRFasync(req, res);
 	}
+
+	res.set('cache-control', 'private');
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });

src/middleware/header.js

@@ -44,6 +44,11 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		req.logout();
 		return res.redirect('/');
 	}
+
+	if (req.loggedIn) {
+		res.set('cache-control', 'private');
+	}
+
 	res.locals.config = config;
 	next();
 });