Merge pull request #136 from jamie-taylor-rjj/bugfix/incorrect-cache-…

…control-header-values

Fixed #135 by replacing the incorrect default values for the Cache-Control header with the correct ones.

src/Extensions/SecureHeadersMiddlewareBuilder.cs

@@ -256,7 +256,7 @@ public static SecureHeadersMiddlewareConfiguration UseReferrerPolicy
         /// </exception>
         public static SecureHeadersMiddlewareConfiguration UseCacheControl
         (this SecureHeadersMiddlewareConfiguration config,
-            bool @private = true, int maxAge = 31536000, bool noCache = false, bool noStore = false,
+            bool @private = false, int maxAge = 0, bool noCache = false, bool noStore = true,
             bool mustRevalidate = false)
         {
             config.UseCacheControl = true;

src/Models/CacheControl.cs

@@ -11,6 +11,7 @@ public class CacheControl : IConfigurationBase
         /// Whether all or part of the HTTP response message is intended for a
         /// single user and must not be cached by a shared cache.
         /// </summary>
+        /// <remarks>
         /// The following is taken from the MDN article for cache-control
         ///    If you forget to add private to a response with personalized content,
         ///    then that response can be stored in a shared cache and end up being
@@ -63,8 +64,8 @@ public class CacheControl : IConfigurationBase
         [ExcludeFromCodeCoverage]
         protected CacheControl() { }
 
-        public CacheControl(bool @private, int maxAge = 86400, bool noCache = false,
-            bool noStore = false, bool mustRevalidate = false)
+        public CacheControl(bool @private, int maxAge = 0, bool noCache = false,
+            bool noStore = true, bool mustRevalidate = false)
         {
             Private = @private;
             MaxAge = maxAge;
@@ -86,22 +87,23 @@ public string BuildHeaderValue()
                 return stringBuilder.ToString();
             }
 
-            if (NoStore)
+            if (Private)
             {
-                stringBuilder.Append("no-store");
+                stringBuilder.Append("private");
                 return stringBuilder.ToString();
             }
 
-            stringBuilder.Append("max-age=");
-            stringBuilder.Append(MaxAge);
             if (MustRevalidate)
             {
-                stringBuilder.Append(", must-revalidate");
+                stringBuilder.Append("must-revalidate");
+                return stringBuilder.ToString();
             }
 
-            if (Private)
+            stringBuilder.Append($"max-age={MaxAge},");
+            if (NoStore)
             {
-                stringBuilder.Append(", private");
+                stringBuilder.Append("no-store");
+                return stringBuilder.ToString();
             }
 
             return stringBuilder.ToString();

src/OwaspHeaders.Core.csproj

@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.2.3</Version>
+    <Version>9.3.0</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>

tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs

@@ -79,7 +79,7 @@ public void BuildDefaultConfiguration_Returns_Valid_Configuration()
 
         // Cache-Control
         Assert.True(response.UseCacheControl);
-        Assert.Equal("max-age=31536000, private", response.CacheControl.BuildHeaderValue());
+        Assert.Equal("max-age=0,no-store", response.CacheControl.BuildHeaderValue());
 
         // X-XSS-Protection
         Assert.True(response.UseXssProtection);