Security: Always include the no-store and private directives in the Cache-Control header when setting headers that prevent caching.

johnbillion · johnbillion · commit 784e60bb5a2d · 2025-01-28T23:20:48.000Z
The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users. This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files. Props kkmuffme, devansh2002, johnbillion. Fixes #61942 git-svn-id: https://develop.svn.wordpress.org/trunk@59724 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
@@ -1489,18 +1489,18 @@ function status_header( $code, $description = '' ) {
  * Gets the HTTP header information to prevent caching.
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers.
+ * is handled by different browsers or intermediate caches such as proxy servers.
  *
  * @since 2.8.0
  * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
  *              `no-store` and `private` directives.
+ * @since 6.8.0 The `Cache-Control` header now includes the `no-store` and `private`
+ *              directives regardless of whether a user is logged in.
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
-	$cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
-		? 'no-cache, must-revalidate, max-age=0, no-store, private'
-		: 'no-cache, must-revalidate, max-age=0';
+	$cache_control = 'no-cache, must-revalidate, max-age=0, no-store, private';
 
 	$headers = array(
 		'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',
diff --git a/tests/e2e/specs/cache-control-headers-directives.test.js b/tests/e2e/specs/cache-control-headers-directives.test.js
@@ -27,6 +27,7 @@ test.describe( 'Cache Control header directives', () => {
 		// Dispose context once it's no longer needed.
 		await context.close();
 
+		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-cache" } ) );
 		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-store" } ) );
 		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "private" } ) );
 	} );
@@ -40,6 +41,27 @@ test.describe( 'Cache Control header directives', () => {
 		const response = await page.goto( '/wp-admin' );
 		const responseHeaders = response.headers();
 
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
+	} );
+
+	test(
+		'Correct directives present in cache control header when not logged in on 404 page.',
+		async ( { browser }
+		) => {
+		const context = await browser.newContext();
+		const loggedOutPage = await context.newPage();
+
+		const response = await loggedOutPage.goto( '/this-does-not-exist/' );
+		const responseHeaders = response.headers();
+		const responseStatus = response.status();
+
+		// Dispose context once it's no longer needed.
+		await context.close();
+
+		expect( responseStatus ).toBe( 404 );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
 		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
 		expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
 	} );
