Don't set public Cache-Control on proxied non-public blobs

Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`,
which sets `Cache-Control: public, immutable`. For non-public blobs behind auth,
this allows CDN caching that serves responses without authorization checks.

Override `http_cache_forever` in the Authorize concern to downgrade `public` to
`false` for non-public blobs.

See https://github.com/basecamp/fizzy/pull/2251 for context
This commit is contained in:
Mike Dalessio
2026-03-26 14:58:06 -04:00
parent 09d5b8c92f
commit 628571fc79
2 changed files with 12 additions and 0 deletions
@@ -40,6 +40,10 @@ Rails.application.config.to_prepare do
head :forbidden
end
end
def http_cache_forever(public: false, &block)
super(public: public && publicly_accessible_blob?, &block)
end
end
ActiveStorage::Blobs::RedirectController.include ActiveStorage::Authorize