Add middleware to set Cache-Control header for challenge HTML (#132)

* Add middleware to set Cache-Control header for challenge HTML * Add `NoStoreCache` middleware function in `internal/headers.go` to set Cache-Control: no-store header * Apply `NoStoreCache` middleware in `cmd/anubis/main.go` to set Cache-Control header for challenge HTML * docs: Add no-cache header information for challenge page * docs: Update changelog to reflect no-store Cache-Control header addition for challenge page * refactor: rename variable for clarity and update caching middleware in RenderIndex * chore: move changes to the unreleased section Signed-off-by: Jason Cameron <git@jasoncameron.dev> --------- Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> Signed-off-by: Jason Cameron <git@jasoncameron.dev>
2025-08-03 01:38:14 -04:00 · 2025-03-29 21:15:50 -04:00 · 2025-03-29 21:15:50 -04:00 · 3683f95933
commit 3683f95933
parent 168329fff0
3 changed files with 18 additions and 5 deletions
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]
+- Added a no-store Cache-Control header to the challenge page

 - Hide the directory listings for Anubis' internal static content
 - Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead.
--- a/internal/headers.go
+++ b/internal/headers.go
@ -64,6 +64,15 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler {
 	})
 }

+// NoStoreCache sets the Cache-Control header to no-store for the response.
+func NoStoreCache(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
+	  next.ServeHTTP(w, r)
+	})
+}
+
+
 // Do not allow browsing directory listings in paths that end with /
 func NoBrowsing(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
--- a/lib/anubis.go
+++ b/lib/anubis.go
@ -162,7 +162,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (s *Server) challengeFor(r *http.Request, difficulty int) string {
 	fp := sha256.Sum256(s.priv.Seed())

-	data := fmt.Sprintf(
+	challengeData := fmt.Sprintf(
 		"Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
 		r.Header.Get("Accept-Language"),
 		r.Header.Get("X-Real-Ip"),
@ -171,7 +171,7 @@ func (s *Server) challengeFor(r *http.Request, difficulty int) string {
 		fp,
 		difficulty,
 	)
-	return internal.SHA256sum(data)
+	return internal.SHA256sum(challengeData)
 }

 func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
@ -326,9 +326,12 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 }

 func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request) {
-	templ.Handler(
-		web.Base("Making sure you're not a bot!", web.Index()),
-	).ServeHTTP(w, r)
+	handler := internal.NoStoreCache(
+		templ.Handler(
+			web.Base("Making sure you\\'re not a bot!", web.Index()),
+		),
+	)
+	handler.ServeHTTP(w, r)
 }

 func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {