RFC: Default Cache-Control headers for the GET session endpoint

[ThangHuuVu]

Goals

To enhance security and privacy by adding default Cache-Control headers to the GET session endpoint in Auth.js, ensuring that session information is not cached by browsers or intermediaries, like CDNs.

Non-Goals

1. Change the behavior of other endpoints
2. Change the handling of session data
3. Address caching mechanisms beyond HTTP response headers

Background

See: #1153 (comment)

Some CDNs such as Cloudflare or AWS CloudFront would cache GET requests by default. This requires the developers to set the cache rule on the cloud providers side which is prone to misconfigurations.

To mitigate this risk, returning the Cache-Control header from the core will instruct these providers to respect the cache rule and not to store the session information.

References:

• https://developers.cloudflare.com/cache/concepts/default-cache-behavior/
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html

Proposal

Update the GET session endpoint handling to include Cache-Control headers in the response. The following headers will be set:

• Cache-Control: private, no-cache, no-store
• Expires: 0
• Consideration: Pragma: no-cache: Ensures compatibility with HTTP/1.0 caches, which may not recognize Cache-Control.

Steps:

1. Update the handler code
2. Add tests
3. Add documentation

Backward compatibility: I don't expect this to break any existing functionalities.