[I] API JWT Creation Endpoint Missing Cache-Control Header (tooling-trusted-releases)

Mon, 30 Mar 2026 18:34:44 -0700 


asf-tooling opened a new issue, #977:
URL: https://github.com/apache/tooling-trusted-releases/issues/977

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The API endpoint for JWT creation returns credentials without cache-control 
headers, while the equivalent web endpoint correctly implements Cache-Control: 
no-store. This inconsistency creates a caching vulnerability in the API path. 
JWT credentials valid for 30 minutes could be cached by server-side components. 
If a shared cache (e.g., CDN with aggressive caching, misconfigured Varnish) 
stores the response, subsequent requests matching the cache key could receive 
another user's JWT.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/api/__init__.py:398-415` - JWT creation without cache headers
   
   The API endpoint returns JWTs without anti-caching headers while the web 
endpoint correctly implements them, creating an inconsistency.
   
   ### Recommended Remediation
   Covered by global fix in FINDING-046. If implementing per-endpoint:
   
   ```python
   @app.route('/api/jwt/create', methods=['POST'])
   async def jwt_create(...):
       # ... JWT creation logic
       
       response = quart.jsonify({'jwt': token})
       response.headers['Cache-Control'] = 'no-store'
       response.headers['Pragma'] = 'no-cache'
       return response
   ```
   
   ### Acceptance Criteria
   - [ ] Cache-Control header added to response
   - [ ] Pragma header added for compatibility
   - [ ] Consistency with web endpoint
   - [ ] Integration test verifies headers
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:14.2.2.md, L2:14.3.2.md
   - Related findings: FINDING-046, FINDING-011
   - ASVS sections: 14.2.2, 14.3.2
   
   ### Priority
   High
   
   ---


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to