We have had some OWASP testing performed on our kirby installation as a requirement for one of our jobs. We’ve managed to pass everything apart from this “low” risk issue:
cache-control: no-store (main site)
The API for the login process (/api/auth/login) does not have cache-control set.
What’s the best way to do this, is there a simple config property to set a cache-control on the API auth endpoint? Would it just be an .htaccess / php header() thing rather than kirby itself?
It isn’t possible to set headers just for one endpoint via a configuration option. You can however use something like this in your config.php:
if (Str::startsWith($_SERVER['REQUEST_URI'], '/api/')) {
header('Cache-Control: no-store');
}
I consider the missing header a bug in Kirby and have created a pull request to fix this:
Thanks for your input! Results from external security audits are always really helpful to us. In the future, please send us security-related information via email. In this case it wasn’t a vulnerability, but better safe than sorry.