Tweak design and try to prevent CSRF issues

2022-07-08 09:01:25 +02:00 · 2022-07-08 09:01:25 +02:00 · 68c13b275d
commit 68c13b275d
parent 7bb417759e
4 changed files with 32 additions and 1 deletions
--- a/app/main.py
+++ b/app/main.py
@ -122,6 +122,17 @@ async def add_security_headers(request: Request, call_next):
    response.headers["x-content-type-options"] = "nosniff"
    response.headers["x-xss-protection"] = "1; mode=block"
    response.headers["x-frame-options"] = "SAMEORIGIN"
+    if request.url.path.startswith("/admin/login") or (
+        is_current_user_admin(request)
+        and not (
+            request.url.path.startswith("/attachments")
+            or request.url.path.startswith("/proxy")
+            or request.url.path.startswith("/static")
+        )
+    ):
+        # Prevent caching (to prevent caching CSRF tokens)
+        response.headers["Cache-Control"] = "private"
+
    # TODO(ts): disallow inline CSS?
    if DEBUG:
        return response