[SAR] APPENG-5143: DCR response Cache-Control header#200
Conversation
Add Cache-Control: no-store and Pragma: no-cache headers to the DCR response that contains client_secret. This prevents proxies and browsers from caching sensitive OAuth credentials. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
luis5tb
left a comment
luis5tb
left a comment
There was a problem hiding this comment.
PR #200 Review Summary
PR: [SAR] APPENG-5143: DCR response Cache-Control header
Author: yuvalk | Size: +3 / -1, 1 file | CWE: CWE-525
Critical (1)
- Error response missing cache headers — The error path (lines 90-96) returns
erroranderror_descriptionwithoutCache-Control/Pragmaheaders. RFC 6749 Section 5.2 requires cache headers on token endpoint error responses too. Error descriptions could leak validation details (account states, procurement IDs) if cached by a proxy. Apply the sameheaders={"Cache-Control": "no-store", "Pragma": "no-cache"}to the errorJSONResponse.[router.py:90-96]
Important (2)
-
Add
Expires: 0for defense-in-depth — Older HTTP/1.0 proxies may not honorCache-Control. Adding"Expires": "0"is a one-line addition recommended by RFC 7234 and OWASP OAuth best practices.[router.py:105] -
No test coverage for cache headers — No test exists for a successful DCR response at all. A test mocking
register_clientto return success and assertingresponse.headers["cache-control"] == "no-store"would verify headers survive middleware processing.[tests/test_dcr.py]
Suggestions (2)
-
Unnecessary intermediate variable — The
response = JSONResponse(...)/return responsepattern can be simplified to a directreturn JSONResponse(...). Minor style nit. -
Consider global cache policy — The security middleware sets HSTS/X-Content-Type-Options/X-Frame-Options but no cache policy. A global
Cache-Control: no-storeinSecurityHeadersMiddlewarewould prevent future endpoints from accidentally serving sensitive data without cache headers. Good follow-up task.
Strengths
- Correct fix for CWE-525 —
Cache-Control: no-storeis the right directive per RFC 6749 Section 5.1 - Minimal, focused diff addressing exactly one security concern
client_secretis Fernet-encrypted at rest; no evidence of secret logging- JWT validation and procurement API cross-referencing are sound
- Idempotent DCR handling for repeat requests is correct per RFC 7591
Verdict: Request Changes
The fix is correct on the success path but incomplete — the error response path needs the same cache headers per RFC 6749 Section 5.2. Adding Expires: 0 and a test would round it out. All three are small changes.
|
review fixes at PR yuvalk#6 |
2 participants
Summary
Addresses APPENG-5143.
Adds
Cache-Control: no-storeandPragma: no-cacheheaders to the DCR response that containsclient_secret, preventing proxies and browsers from caching sensitive OAuth credentials.Changes
Cache-Control: no-storeandPragma: no-cacheheaders to the successful DCR response insrc/lightspeed_agent/marketplace/router.pySAR Reference
Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com