fix(http): prevent caching of responses with Set-Cookie headers by SkyZeroZx · Pull Request #69385 · angular/angular
Skip HttpTransferCache serialization for HTTP responses that contain a Set-Cookie header. Cookie-setting responses commonly represent session-specific, user-specific, or security-sensitive state. Serializing their bodies into SSR TransferState can embed sensitive data into the generated HTML, where it may be reused during hydration or replayed by a shared cache/CDN.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change seems redundant to me unless you can reproduce it.
From the spec, Set-Cookie is automatically stripped on Node.js unless credentials is set to include.
This change seems redundant to me unless you can reproduce it.
From the spec,
Set-Cookieis automatically stripped on Node.js unless credentials is set to include.
@alan-agius4 This is about using Set-Cookie server-side as a signal that the response body may be session-specific and should not be serialized into TransferState, similar to how CDNs such as Cloudflare and Google Cloud CDN treat responses with Set-Cookie.
Here is a minimal Node.js example showing that the Set-Cookie header is preserved server-side in all cases:
https://gist.github.com/SkyZeroZx/c889f14f983739c67339dc4195807b34
