Set HTTP cache-control header to no-cache, no-store, must-revalidate, private; and HTTP pragma header to no-cache.

Summary

Hello,
We regularly run penetration tests on our self-hosted gitlab instance.
We have a alert regarding our configuration because The cache-control and pragma HTTP headers were not set correctly or are missing, allowing the browser and proxies to cache content.

The cache-control and pragma HTTP headers therefore make it possible to indicate to proxy servers that the content of the exchange should not be stored.

In fact, this makes it possible to ensure that the confidentiality of the data is respected and that third parties managing this equipment cannot access it through this intermediary.

Proposal

The best way to remediate issue is to make sure the HTTP cache-control header is set to no-cache, no-store, must-revalidate, private; and that the HTTP pragma header is populated at no-cache.

Edited Apr 01, 2021 by Shrashthi Agarwal