From ae1f028929b1d6e0ca0328b3ac12251412301584 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Uzna=C5=84ski?= <l.uznanski@macopedia.pl>
Date: Mon, 27 Nov 2017 13:20:45 +0100
Subject: [PATCH] [BUGFIX] Send correct Cache-Control header if no client side
 caching

Add 'Cache-Control: no-store' if conditions allowing client caching
are not met. This change will prevent caching content by browser.

Resolves: #81160
Releases: master, 8.7, 7.6
Change-Id: Ia91a339178b8cd8387706679bbea40ed0d1b0548
Reviewed-on: https://review.typo3.org/54788
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Pawel Cieslik <p.cieslik@macopedia.pl>
Tested-by: Pawel Cieslik <p.cieslik@macopedia.pl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
---
 .../Classes/Controller/TypoScriptFrontendController.php      | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
index 515120408618..5711cce60608 100644
--- a/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
+++ b/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
@@ -3569,9 +3569,10 @@ class TypoScriptFrontendController implements LoggerAwareInterface
             ];
             $this->isClientCachable = true;
         } else {
-            // Build headers:
+            // Build headers
+            // "no-store" is used to ensure that the client HAS to ask the server every time, and is not allowed to store anything at all
             $headers = [
-                'Cache-Control: private'
+                'Cache-Control: private, no-store'
             ];
             $this->isClientCachable = false;
             // Now, if a backend user is logged in, tell him in the Admin Panel log what the caching status would have been:
-- 
GitLab