Strip Set-Cookie header on public endpoints (#1775)

mkst · web-flow · commit 8ef7a21fe62b · 2025-12-21T07:13:32.000Z
diff --git a/backend/coreapp/middleware.py b/backend/coreapp/middleware.py
@@ -159,3 +159,15 @@ def middleware(request: Request) -> Response:
         return response
 
     return middleware
+
+
+def strip_session(
+    get_response: Callable[[HttpRequest], Response],
+) -> Callable[[Request], Response]:
+    def middleware(request: Request) -> Response:
+        response = get_response(request)
+        if is_public_request(request):
+            response.cookies.clear()
+        return response
+
+    return middleware
diff --git a/backend/decompme/settings.py b/backend/decompme/settings.py
@@ -82,6 +82,7 @@
 ]
 
 MIDDLEWARE = [
+    "coreapp.middleware.strip_session",
     "coreapp.middleware.strip_cookie_vary",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,7 @@`
`82`	`82`	`]`
`83`	`83`
`84`	`84`	`MIDDLEWARE = [`
	`85`	`+ "coreapp.middleware.strip_session",`
`85`	`86`	`"coreapp.middleware.strip_cookie_vary",`
`86`	`87`	`"django.middleware.security.SecurityMiddleware",`
`87`	`88`	`"django.contrib.sessions.middleware.SessionMiddleware",`