SEC-2331: Cache Control now includes Expires: 0

config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy

@@ -79,6 +79,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
                          'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                          'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                          'Pragma':'no-cache',
+                         'Expires' : '0',
                          'X-XSS-Protection' : '1; mode=block']
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.groovy

@@ -49,6 +49,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
                          'X-Frame-Options':'DENY',
                          'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                          'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                         'Expires' : '0',
                          'Pragma':'no-cache',
                          'X-XSS-Protection' : '1; mode=block']
     }
@@ -128,6 +129,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
             springSecurityFilterChain.doFilter(request,response,chain)
         then:
             responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                         'Expires' : '0',
                          'Pragma':'no-cache']
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy

@@ -49,6 +49,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
                 'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                 'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
                 'Pragma':'no-cache',
+                'Expires' : '0',
                 'X-XSS-Protection' : '1; mode=block']
     }
 
@@ -69,6 +70,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
             springSecurityFilterChain.doFilter(request,response,chain)
         then:
             responseHeaders == ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                'Expires' : '0',
                 'Pragma':'no-cache']
     }
 

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -54,6 +54,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
                                      'X-Frame-Options':'DENY',
                                      'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
                                      'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                                     'Expires' : '0',
                                      'Pragma':'no-cache',
                                      'X-XSS-Protection' : '1; mode=block'])
     }
@@ -332,7 +333,9 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         when:
             springSecurityFilterChain.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
         then:
-            assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate','Pragma':'no-cache'])
+            assertHeaders(response, ['Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
+                                     'Expires' : '0',
+                                     'Pragma':'no-cache'])
     }
 
     def 'http headers hsts'() {

web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java

@@ -44,6 +44,7 @@ public final class CacheControlHeadersWriter extends StaticHeadersWriter {
         List<Header> headers = new ArrayList<Header>(2);
         headers.add(new Header("Cache-Control","no-cache, no-store, max-age=0, must-revalidate"));
         headers.add(new Header("Pragma","no-cache"));
+        headers.add(new Header("Expires","0"));
         return headers;
     }
 }

web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java

@@ -47,8 +47,9 @@ public class CacheControlHeadersWriterTests {
     public void writeHeaders() {
         writer.writeHeaders(request, response);
 
-        assertThat(response.getHeaderNames().size()).isEqualTo(2);
+        assertThat(response.getHeaderNames().size()).isEqualTo(3);
         assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache, no-store, max-age=0, must-revalidate"));
         assertThat(response.getHeaderValues("Pragma")).isEqualTo(Arrays.asList("no-cache"));
+        assertThat(response.getHeaderValues("Expires")).isEqualTo(Arrays.asList("0"));
     }
 }