fix: add Cache-Control no-store header to attestation responses (#12)

sangwa · claude · web-flow · commit ad6f95988668 · 2026-03-26T14:53:51.000-07:00
Attestation responses are unique per request (fresh timestamp, request ID,
hardware-signed evidence) and must not be cached by proxies or clients.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/attestation.go b/internal/attestation.go
@@ -310,6 +310,7 @@ func sendReport(c *fiber.Ctx, report *AttestationReport, reportDataJSON []byte)
 		return fiber.NewError(fiber.StatusInternalServerError, "failed to marshal attestation report")
 	}
 	c.Set("Content-Type", "application/json")
+	c.Set("Cache-Control", "no-store")
 	return c.Send(body)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,7 @@ func sendReport(c fiber.Ctx, report AttestationReport, reportDataJSON []byte)`
`310`	`310`	`return fiber.NewError(fiber.StatusInternalServerError, "failed to marshal attestation report")`
`311`	`311`	`}`
`312`	`312`	`c.Set("Content-Type", "application/json")`
	`313`	`+ c.Set("Cache-Control", "no-store")`
`313`	`314`	`return c.Send(body)`
`314`	`315`	`}`
`315`	`316`