Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
A security audit of a site complained about anti-caching headers. Some browsers and proxies 'ignore' the no-cache setting and do store some responses. These stored responses could then be read without permission.
The proposed solution was to add a 'no-store' to the caching. Easiest way was to change the default cache-control headers in drupal_page_header().
I'll add a patch that provides a variable with a default for the default page headers. Should give no backwards-compatible problems.
Comments
Comment #1
SpadXIII CreditAttribution: SpadXIII commentedThe patch with the default page cache-control header in a variable.
Comment #2
MrHaroldA CreditAttribution: MrHaroldA commentedCool!
Another option could be to move the variable_get() into the drupal_send_headers() call to give you full control over all headers.
Comment #3
SpadXIII CreditAttribution: SpadXIII commentedUpdated the patch for latest 7.x
Comment #4
Tess BakkerNew patch based on latest dev
Comment #5
mvwensen CreditAttribution: mvwensen commentedPatch will not apply on the latest dev, created a new patch.
Comment #8
Tess BakkerTip: Use Metatag module to setup a global or context-specific Control-Cache tag.