Cache control settings have not been set allowing the browser and proxies to cache content

[whaber]

This potentially allows users of the same computer and/or proxies that may be between the browser and the portal server to access confidential information.

Ref on how to solve: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching

Even after the session has been closed, it might be possible to access the private or sensitive data exchanged within the session through the web browser cache. Therefore, web applications must use restrictive cache directives for all the web traffic exchanged through HTTP and HTTPS, such as the Cache-Control and Pragma HTTP headers, and/or equivalent META tags on all or (at least) sensitive web pages.

Independently of the cache policy defined by the web application, if caching web application contents is allowed, the session IDs must never be cached, so it is highly recommended to use the Cache-Control: no-cache="Set-Cookie, Set-Cookie2" directive, to allow web clients to cache everything except the session ID...

[ibeckermayer]

Is this meant to be set in all responses? Firebase Cloud Functions/Auth may have our hands tied.

FYI, we're using Firebase's out-of-the-box session management api

[whaber]

Let's start with making this change:

firebase.auth.Auth.Persistence.NONE

Indicates that the state will only be stored in memory and will be cleared when the window or activity is refreshed.

[ibeckermayer]

(Leaving a note for myself)

We're also manually saving the mobx store in sessionStorage, which should be removed as well:

// Based on https://egghead.io/lessons/react-store-store-in-local-storage
if (sessionStorage.getItem('store')) {
  initialStore = JSON.parse(sessionStorage.getItem('store'))
}

const rootStore = Store.create({
  ...initialStore,
})

// Based on https://egghead.io/lessons/react-store-store-in-local-storage
onSnapshot(rootStore, (snapshot) => {
  sessionStorage.setItem('store', JSON.stringify(snapshot))
})