Web Vault: Cache-Control Headers are incorrectly being sent in requests instead of server responses #3657

New Issue

MrUnknownDE · 2026-04-06T05:15:18+02:00

MrUnknownDE commented

2026-04-06 05:15:18 +02:00

Originally created by @Algebro7 on 12/10/2018

I started playing around with bitwarden_rs today and noticed that cache-control: no-cache, max-age=0 and pragma: no-cache are being sent in the request headers instead of in the response, so they are effectively doing nothing. Example:

GET /api/sync?excludeDomains=true HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://<redacted>
device-type: 10
authorization: Bearer <redacted>
cache-control: no-cache, max-age=0
pragma: no-cache
origin: https://<redacted>
DNT: 1
Connection: close

I also recommend setting the no-store directive in addition to no-cache.

Additionally, many responses aren't setting the additional security headers like X-Frame-Options and X-Content-Type-Options referenced in #44 . example from /api/sync:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 Dec 2018 04:46:53 GMT
Content-Type: application/json
Content-Length: 7489
Connection: close
Strict-Transport-Security: max-age=63072000; includeSubDomains

*Originally created by @Algebro7 on 12/10/2018* I started playing around with bitwarden_rs today and noticed that `cache-control: no-cache, max-age=0` and `pragma: no-cache` are being sent in the request headers instead of in the response, so they are effectively doing nothing. Example: ``` GET /api/sync?excludeDomains=true HTTP/1.1 Host: <redacted> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://<redacted> device-type: 10 authorization: Bearer <redacted> cache-control: no-cache, max-age=0 pragma: no-cache origin: https://<redacted> DNT: 1 Connection: close ``` I also recommend setting the `no-store` directive in addition to `no-cache`. Additionally, many responses aren't setting the additional security headers like `X-Frame-Options` and `X-Content-Type-Options` referenced in #44 . example from /api/sync: ``` HTTP/1.1 200 OK Server: nginx Date: Mon, 10 Dec 2018 04:46:53 GMT Content-Type: application/json Content-Length: 7489 Connection: close Strict-Transport-Security: max-age=63072000; includeSubDomains ```

MrUnknownDE closed this issue

2026-04-06 05:15:18 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#3657