Email: Send no-cache headers when auth token present for security.

2025-04-18 17:33:43 +03:00 · 2019-11-07 11:53:39 -08:00 · 2019-11-07 11:53:39 -08:00 · 7e89d1794a
parent 18228d367c
commit 7e89d1794a
1 changed files with 14 additions and 0 deletions
--- a/plugins/wporg-5ftf/includes/email.php
+++ b/plugins/wporg-5ftf/includes/email.php
@ -37,6 +37,20 @@ const TOKEN_PREFIX = '5ftf_auth_token_';
 // Longer than `get_password_reset_key()` just to be safe. See https://core.trac.wordpress.org/ticket/43546#comment:34
 const TOKEN_LENGTH = 32;

+add_action( 'wp_head', __NAMESPACE__ . '\prevent_caching_auth_tokens', 99 );
+
+/**
+ * Prevent caching mechanisms from caching authentication tokens.
+ *
+ * Search engines would often be too slow to index tokens before they expire, but other mechanisms like Varnish,
+ * etc could create situations where they're leaked to others.
+ */
+function prevent_caching_auth_tokens() {
+	if ( isset( $_GET['auth_token'] ) || isset( $_POST['auth_token'] ) ) {
+	    nocache_headers();
+	}
+}
+
 /**
 * Wrap `wp_mail()` with shared functionality.
 *