[3.0.x.x] Add cache control headers

[ADDCreative]

Still regular posts on the forum with issues cause by lack of cache control headers, which have never been added to 3.0.x.x.

Use header instead of $response->addHeader to prevent redirects being cached. Which can be a problem on hosting with an ExpiresDefault set. A better way would be to modify the response library to include headers on redirects and only send when a session is started.

Also probably needed to comply with data protection regulations.

[mhcwebdesign]

I am not quite sure what issue exactly your are trying to resolve. The OC 4 master branch uses something like this:

$response->addHeader('Access-Control-Allow-Origin: *');
$response->addHeader('Access-Control-Allow-Credentials: true');
$response->addHeader('Access-Control-Max-Age: 1000');
$response->addHeader('Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding');
$response->addHeader('Access-Control-Allow-Methods: PUT, POST, GET, OPTIONS, DELETE');
$response->addHeader('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
$response->addHeader('Pragma: no-cache');

Wouldn't that work for the 3.0.x.x, too?

[ADDCreative]

Access-Control is something completely different to cache control. For the cache control, that is missing the Expires header which is needed in certain hosting configurations. Also, as I said, headers added with $response->addHeader don't get used on a redirect. So it was only really half fixed in 4.0.x.

A better way would be to modify the response library to include headers on redirects and only set the headers when a session is started.

For more information have a good read of #7008.