From e39cdd490bd758bb1894277bf8f0cb07e1aa6a6a Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 17 Mar 2022 16:24:03 -0400
Subject: [PATCH] fix(security): explicitly set cache-control 'private' on any
 page where a header is built

---
 src/middleware/admin.js  | 2 ++
 src/middleware/header.js | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/src/middleware/admin.js b/src/middleware/admin.js
index 47bbbc50ed..d2511528ad 100644
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@@ -25,6 +25,8 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 	if (req.method === 'GET') {
 		await require('./index').applyCSRFasync(req, res);
 	}
+
+	res.set('cache-control', 'private');
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });
diff --git a/src/middleware/header.js b/src/middleware/header.js
index 3c33a3fd93..439e8bb7e8 100644
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@@ -44,6 +44,11 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		req.logout();
 		return res.redirect('/');
 	}
+
+	if (req.loggedIn) {
+		res.set('cache-control', 'private');
+	}
+
 	res.locals.config = config;
 	next();
 });