Security: Implement strict Cache-Control directives (Fix CWE-525)

[lnovitz]

Pull Request

Description

This PR addresses vulnerability CWE-525 (Insufficient Caching of Sensitive Information) by implementing strict Cache-Control headers across both the frontend and backend. The previous configuration lacked the no-store directive, which could allow sensitive user data (such as job application details on the dashboard) to be stored in browser or intermediate proxy caches.

Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📝 Documentation update
• 🎨 Style update (formatting, renaming)
• ♻️ Code refactor (no functional changes)
• ⚡️ Performance improvement
• ✅ Test update
• 🔨 Build configuration update
• 🔒 Security update

Changes Made

• Strengthened Frontend Global Fallback: Updated frontend/next.config.js to set the default Cache-Control to no-store, no-cache, must-revalidate, proxy-revalidate for all routes. This ensures that any page not explicitly whitelisted for caching will never be stored on disk.
• Refined Public Page Whitelist: Updated the regex in next.config.js to explicitly allow 1-hour public caching for non-sensitive pages like /login, /faq, and /pricing, while keeping them isolated from sensitive dashboard routes.
• Strict API Cache Prevention: Modified the SecurityHeadersMiddleware in backend/main.py to inject strict no-store headers into all API responses. This prevents user-specific data from being cached by CDNs or corporate proxies.
• Legacy Compatibility: Added Pragma: no-cache and Expires: 0 headers to both frontend and backend for maximum compatibility with older browsers.

Testing

1. Inspect the network tab for https://app.justajobapp.com/dashboard.
2. Verify Cache-Control is no-store, no-cache, must-revalidate, proxy-revalidate.
3. Inspect https://www.justajobapp.com/faq.
4. Verify Cache-Control remains public, max-age=3600.

API Changes

• API changes included:
  Added strict Cache-Control, Pragma, and Expires headers to all outgoing responses via SecurityHeadersMiddleware in main.py.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the project's license.

[gemini-code-assist]

Summary of Changes

Hello @lnovitz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements strict Cache-Control directives across both the frontend and backend to address the CWE-525 vulnerability (Insufficient Caching of Sensitive Information). The changes prevent sensitive user data from being stored in browser or intermediate proxy caches by enforcing no-store policies by default, while carefully whitelisting public, non-sensitive pages for limited caching.

Highlights

• Frontend Global Fallback: Updated frontend/next.config.js to set the default Cache-Control to no-store, no-cache, must-revalidate, proxy-revalidate for all routes, ensuring non-whitelisted pages are never stored.
• Public Page Whitelist: Refined the regex in next.config.js to explicitly allow 1-hour public caching for non-sensitive pages like /login, /faq, and /pricing, while isolating them from sensitive dashboard routes.
• API Cache Prevention: Modified SecurityHeadersMiddleware in backend/main.py to inject strict no-store headers into all API responses, preventing user-specific data from being cached by CDNs or proxies.
• Legacy Compatibility: Added Pragma: no-cache and Expires: 0 headers to both frontend and backend for maximum compatibility with older browsers.

Changelog

• backend/main.py
  • Added Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate header to API responses.
  • Added Pragma: no-cache header to API responses.
  • Added Expires: 0 header to API responses.
• frontend/next.config.js
  • Updated the global fallback Cache-Control value from private, no-cache, max-age=0, s-maxage=0, must-revalidate to no-store, no-cache, must-revalidate, proxy-revalidate.
  • Added Pragma: no-cache and Expires: 0 headers to the global fallback.
  • Expanded the regex for public static pages to include pricing, cookies, dsar, and signup.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses the CWE-525 vulnerability by implementing strict Cache-Control headers to prevent sensitive information from being cached. The changes in both the backend and frontend adopt a secure-by-default approach, setting no-store for all API responses and dynamic pages, while correctly whitelisting public static pages for caching. My feedback includes a minor suggestion to simplify the Cache-Control value by removing a redundant directive, which will improve clarity and maintainability.