From 98a0d7cff2e297e7e6fb04ba9b9b5ba8cc0526a3 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Tue, 25 Oct 2022 13:09:09 +0200 Subject: Prevent browser API caching --- .../main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java | 2 +- .../jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java index fd9c558f97b..e261f420e1c 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java @@ -22,7 +22,7 @@ class CorsLogic { "Okta-Access-Token,Okta-Refresh-Token,Vespa-Csrf-Token", "Access-Control-Allow-Methods", "OPTIONS,GET,PUT,DELETE,POST,PATCH", "Access-Control-Allow-Credentials", "true", - "Vary", "Origin" + "Vary", "*" ); static Map createCorsResponseHeaders(String requestOriginHeader, diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java index 0059fcf1d25..520e22de136 100644 --- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java +++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/misc/SecurityHeadersResponseFilter.java @@ -20,6 +20,5 @@ public class SecurityHeadersResponseFilter implements SecurityResponseFilter { response.setHeader("X-Content-Type-Options", "nosniff"); response.setHeader("X-Frame-Options", "DENY"); response.setHeader("Referrer-Policy", "strict-origin-when-cross-origin"); - response.setHeader("Vary", "*"); } } -- cgit v1.2.3