Make cache-control enforcement unconditional in addCacheControlHeadersForSession

Author: nandan-bhat

src/server/cookies.test.ts

@@ -56,11 +56,9 @@ describe("encrypt/decrypt", async () => {
 });
 
 describe("addCacheControlHeadersForSession", () => {
-  it("adds cache headers if __session cookie has a future Date expiry", () => {
+  it("unconditionally adds strict cache headers", () => {
     const res = NextResponse.next();
-    const futureDate = new Date(Date.now() + 60_000); // 1 minute in the future
 
-    res.cookies.set("__session", "dummy", { expires: futureDate });
     addCacheControlHeadersForSession(res);
 
     expect(res.headers.get("Cache-Control")).toBe(
@@ -69,43 +67,4 @@ describe("addCacheControlHeadersForSession", () => {
     expect(res.headers.get("Pragma")).toBe("no-cache");
     expect(res.headers.get("Expires")).toBe("0");
   });
-
-  it("does NOT add headers if __session cookie is missing", () => {
-    const res = NextResponse.next();
-
-    addCacheControlHeadersForSession(res);
-    expect(res.headers.get("Cache-Control")).toBeNull();
-    expect(res.headers.get("Pragma")).toBeNull();
-    expect(res.headers.get("Expires")).toBeNull();
-  });
-
-  it("does NOT add headers if __session cookie is expired", () => {
-    const res = NextResponse.next();
-    const pastDate = new Date(Date.now() - 60_000); // 1 minute in the past
-
-    res.cookies.set("__session", "dummy", { expires: pastDate });
-    addCacheControlHeadersForSession(res);
-
-    expect(res.headers.get("Cache-Control")).toBeNull();
-  });
-
-  it("does NOT add headers if __session cookie has no value", () => {
-    const res = NextResponse.next();
-    const futureDate = new Date(Date.now() + 60_000);
-
-    // setting an empty value simulates a session cookie being cleared
-    res.cookies.set("__session", "", { expires: futureDate });
-    addCacheControlHeadersForSession(res);
-
-    expect(res.headers.get("Cache-Control")).toBeNull();
-  });
-
-  it("does NOT add headers if __session cookie has no expires field", () => {
-    const res = NextResponse.next();
-
-    res.cookies.set("__session", "dummy"); // no `expires`
-    addCacheControlHeadersForSession(res);
-
-    expect(res.headers.get("Cache-Control")).toBeNull();
-  });
 });

src/server/cookies.ts

@@ -332,37 +332,20 @@ export function deleteChunkedCookie(
 }
 
 /**
- * Returns true if the cookie's `expires` field represents a future time.
- * Handles both Date objects and numeric UNIX timestamps.
- */
-function isValidFutureExpiry(expires: Date | number): boolean {
-  const now = Date.now();
-  return typeof expires === "number"
-    ? expires * 1000 > now
-    : expires instanceof Date && expires.getTime() > now;
-}
-
-/**
- * Adds strict cache-control headers to prevent shared CDN caching of
- * responses that contain a valid `Set-Cookie: __session`.
+ * Unconditionally adds strict cache-control headers to the response.
+ *
+ * This ensures the response is not cached by CDNs or other shared caches.
+ * It is now the caller's responsibility to decide when to call this function.
  *
- * Only applies headers if a future-expiring `__session` cookie is present
- * in the response — avoiding overly aggressive cache disabling.
+ * Usage:
+ * Call this function whenever a `Set-Cookie` header is being written
+ * for session management or any other sensitive data that must not be cached.
  */
 export function addCacheControlHeadersForSession(res: NextResponse): void {
-  const sessionCookie = res.cookies.get("__session");
-
-  const isFreshCookie =
-    sessionCookie?.value &&
-    sessionCookie?.expires &&
-    isValidFutureExpiry(sessionCookie.expires);
-
-  if (isFreshCookie) {
-    res.headers.set(
-      "Cache-Control",
-      "private, no-cache, no-store, must-revalidate, max-age=0"
-    );
-    res.headers.set("Pragma", "no-cache");
-    res.headers.set("Expires", "0");
-  }
+  res.headers.set(
+    "Cache-Control",
+    "private, no-cache, no-store, must-revalidate, max-age=0"
+  );
+  res.headers.set("Pragma", "no-cache");
+  res.headers.set("Expires", "0");
 }