SECURITY: Disallow caching of MIME/Content-Type errors (#14907)

This will sign intermediary proxies and/or misconfigured CDNs to not cache those error responses.
2025-05-22 07:01:20 +08:00 · 2021-11-12 15:52:25 -03:00
parent 9ca93f57cc
commit 6645243a26
3 changed files with 4 additions and 3 deletions
--- a/lib/middleware/discourse_public_exceptions.rb
+++ b/lib/middleware/discourse_public_exceptions.rb
@ -35,7 +35,7 @@ module Middleware
          begin
            request.format
          rescue Mime::Type::InvalidMimeType
-            return [400, {}, ["Invalid MIME type"]]
+            return [400, { "Cache-Control" => "private, max-age=0, must-revalidate" }, ["Invalid MIME type"]]
          end

          if ApplicationController.rescue_with_handler(exception, object: fake_controller)