Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers

Signed-off-by: Margo Crawford <margaretc@vmware.com>

internal/httputil/securityheader/securityheader.go

@@ -9,12 +9,22 @@ import "net/http"
 // Wrap the provided http.Handler so it sets appropriate security-related response headers.
 func Wrap(wrapped http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		wrapped.ServeHTTP(w, r)
 		h := w.Header()
 		h.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'")
 		h.Set("X-Frame-Options", "DENY")
 		h.Set("X-XSS-Protection", "1; mode=block")
 		h.Set("X-Content-Type-Options", "nosniff")
 		h.Set("Referrer-Policy", "no-referrer")
-		wrapped.ServeHTTP(w, r)
+		h.Set("X-DNS-Prefetch-Control", "off")
+
+		// first overwrite existing Cache-Control header with Set, then append more headers with Add
+		h.Set("Cache-Control", "no-cache")
+		h.Add("Cache-Control", "no-store")
+		h.Add("Cache-Control", "max-age=0")
+		h.Add("Cache-Control", "must-revalidate")
+
+		h.Set("Pragma", "no-cache")
+		h.Set("Expires", "0")
 	})
 }

internal/httputil/securityheader/securityheader_test.go

@@ -26,5 +26,9 @@ func TestWrap(t *testing.T) {
 		"X-Content-Type-Options":  []string{"nosniff"},
 		"X-Frame-Options":         []string{"DENY"},
 		"X-Xss-Protection":        []string{"1; mode=block"},
+		"X-Dns-Prefetch-Control":  []string{"off"},
+		"Cache-Control":           []string{"no-cache", "no-store", "max-age=0", "must-revalidate"},
+		"Pragma":                  []string{"no-cache"},
+		"Expires":                 []string{"0"},
 	}, rec.Header())
 }