php - Cloudflare is caching my login pages. Should I mitigate this at the Cloudflare level or the application level, or both?

Question

question for y'all. We recently experienced a data breach. It looks like Cloudflare was set with a "cache all policy" for quite some time. We're not quite sure what triggered it or if this had been an issue for a long time... anyway, a customer reported it and now I'm trying to learn from this really unpleasant experience. All eyes are on the web guy.

QUESTION: Cloudflare is caching my login pages. Should I mitigate this at the Cloudflare level or the application level, or both?

If at the application level, is it enough to include a caching policy using headers (i.e. no-cache, private, etc..) or is there something else I should be looking at? The account/dashboard area is just a simple PHP + an API integration. There's not a lot it is displaying. Just product info and contact details.

question from:https://stackoverflow.com/questions/66055837/cloudflare-is-caching-my-login-pages-should-i-mitigate-this-at-the-cloudflare-l

Answer 1

The default Cloudflare CDN behaviour is explained in this article: Understanding Cloudflare's CDN

As noted in the article, HTML is not cached by default, but it is possible to achieve this by configuring a Page Rule. It is generally not advised to set up caching rules on pages showing content that is meant to specific users.

It is also possible (depending on your plan) to customize the behavior with features such as "Bypass Cache on Cookie" , "Cache on Cookie" or creating Custom Cache Keys (the latter only available on Enterprise plans).

A summary of these (and other) Page rule options is available here