From 380dd979f6c99627bc9fcb146899d653fff29d6a Mon Sep 17 00:00:00 2001
From: Tim Wundenberg <tim@wundenbergs.de>
Date: Thu, 12 Dec 2024 00:02:55 +0100
Subject: [PATCH] feat(security): #305 don't cache sensitive data

---
 handler/middleware/cache_control.go | 26 ++++++++++++++++++++++++++
 main.go                             |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 handler/middleware/cache_control.go

diff --git a/handler/middleware/cache_control.go b/handler/middleware/cache_control.go
new file mode 100644
index 0000000..cc7decb
--- /dev/null
+++ b/handler/middleware/cache_control.go
@@ -0,0 +1,26 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+
+	"me-fit/log"
+)
+
+func CacheControl(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		path := r.URL.Path
+		log.Info("path: %v", path)
+
+		cached := false
+		if strings.HasPrefix(path, "/static") {
+			cached = true
+		}
+
+		if !cached {
+			w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/main.go b/main.go
index 5fbcec2..3d221d9 100644
--- a/main.go
+++ b/main.go
@@ -128,6 +128,7 @@ func createHandler(d *sql.DB, serverSettings *types.Settings) http.Handler {
 	return middleware.Wrapper(
 		router,
 		middleware.Log,
+		middleware.CacheControl,
 		middleware.ContentSecurityPolicy,
 		middleware.Cors(serverSettings),
 		middleware.Authenticate(authService),