Security: Always include the no-store and private directives in the Cache-Control header when setting headers that prevent caching.

The intention of these headers is to prevent any form of caching, whether that's in the browser or in an intermediate cache such as a proxy server. These directives instruct an intermediate cache to not store the response in their cache for any user – not just for logged-in users.

This does not affect the caching behaviour of assets within a page such as images, CSS, and JavaScript files.

Props kkmuffme, devansh2002, johnbillion.

Fixes #61942

git-svn-id: https://develop.svn.wordpress.org/trunk@59724 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-includes/functions.php

@@ -1489,18 +1489,18 @@ function status_header( $code, $description = '' ) {
  * Gets the HTTP header information to prevent caching.
  *
  * The several different headers cover the different ways cache prevention
- * is handled by different browsers.
+ * is handled by different browsers or intermediate caches such as proxy servers.
  *
  * @since 2.8.0
  * @since 6.3.0 The `Cache-Control` header for logged in users now includes the
  *              `no-store` and `private` directives.
+ * @since 6.8.0 The `Cache-Control` header now includes the `no-store` and `private`
+ *              directives regardless of whether a user is logged in.
  *
  * @return array The associative array of header names and field values.
  */
 function wp_get_nocache_headers() {
-	$cache_control = ( function_exists( 'is_user_logged_in' ) && is_user_logged_in() )
-		? 'no-cache, must-revalidate, max-age=0, no-store, private'
-		: 'no-cache, must-revalidate, max-age=0';
+	$cache_control = 'no-cache, must-revalidate, max-age=0, no-store, private';
 
 	$headers = array(
 		'Expires'       => 'Wed, 11 Jan 1984 05:00:00 GMT',

tests/e2e/specs/cache-control-headers-directives.test.js

@@ -27,6 +27,7 @@ test.describe( 'Cache Control header directives', () => {
 		// Dispose context once it's no longer needed.
 		await context.close();
 
+		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-cache" } ) );
 		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "no-store" } ) );
 		expect( responseHeaders ).toEqual( expect.not.objectContaining( { "cache-control": "private" } ) );
 	} );
@@ -40,6 +41,27 @@ test.describe( 'Cache Control header directives', () => {
 		const response = await page.goto( '/wp-admin' );
 		const responseHeaders = response.headers();
 
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
+	} );
+
+	test(
+		'Correct directives present in cache control header when not logged in on 404 page.',
+		async ( { browser }
+		) => {
+		const context = await browser.newContext();
+		const loggedOutPage = await context.newPage();
+
+		const response = await loggedOutPage.goto( '/this-does-not-exist/' );
+		const responseHeaders = response.headers();
+		const responseStatus = response.status();
+
+		// Dispose context once it's no longer needed.
+		await context.close();
+
+		expect( responseStatus ).toBe( 404 );
+		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-cache' );
 		expect( responseHeaders[ 'cache-control' ] ).toContain( 'no-store' );
 		expect( responseHeaders[ 'cache-control' ] ).toContain( 'private' );
 	} );