Add middleware to set Cache-Control header for challenge HTML (#132)

* Add middleware to set Cache-Control header for challenge HTML

* Add `NoStoreCache` middleware function in `internal/headers.go` to set Cache-Control: no-store header
* Apply `NoStoreCache` middleware in `cmd/anubis/main.go` to set Cache-Control header for challenge HTML

* docs: Add no-cache header information for challenge page

* docs: Update changelog to reflect no-store Cache-Control header addition for challenge page

* refactor: rename variable for clarity and update caching middleware in RenderIndex

* chore: move changes to the unreleased section

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

---------

Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com>
Signed-off-by: Jason Cameron <git@jasoncameron.dev>

docs/docs/CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- Added a no-store Cache-Control header to the challenge page
 
 - Hide the directory listings for Anubis' internal static content
 - Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead.

internal/headers.go

@@ -64,6 +64,15 @@ func XForwardedForToXRealIP(next http.Handler) http.Handler {
 	})
 }
 
+// NoStoreCache sets the Cache-Control header to no-store for the response.
+func NoStoreCache(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store")
+	  next.ServeHTTP(w, r)
+	})
+}
+
+
 // Do not allow browsing directory listings in paths that end with /
 func NoBrowsing(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

lib/anubis.go

@@ -162,7 +162,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (s *Server) challengeFor(r *http.Request, difficulty int) string {
 	fp := sha256.Sum256(s.priv.Seed())
 
-	data := fmt.Sprintf(
+	challengeData := fmt.Sprintf(
 		"Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
 		r.Header.Get("Accept-Language"),
 		r.Header.Get("X-Real-Ip"),
@@ -171,7 +171,7 @@ func (s *Server) challengeFor(r *http.Request, difficulty int) string {
 		fp,
 		difficulty,
 	)
-	return internal.SHA256sum(data)
+	return internal.SHA256sum(challengeData)
 }
 
 func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
@@ -326,9 +326,12 @@ func (s *Server) MaybeReverseProxy(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request) {
-	templ.Handler(
-		web.Base("Making sure you're not a bot!", web.Index()),
-	).ServeHTTP(w, r)
+	handler := internal.NoStoreCache(
+		templ.Handler(
+			web.Base("Making sure you\\'re not a bot!", web.Index()),
+		),
+	)
+	handler.ServeHTTP(w, r)
 }
 
 func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {