Prevent information leaking in Rails

Do you want to learn about about the security considerations of LLMs in a development workflow? How about securing LLM driven functionality? If you want to learn about these, I run an online workshop on this topic:
Security in the age of AI.

By default Rails sets the Cache-Control HTTP Header to max-age=0, private, must-revalidate, which means the browser needs to revalidate the page on each request, BUT the browser still stores the cached version of the page.

The problem with this, if a user clicks the back button of the browser, it won't revalidate the page, it will just simply load the page from it's cache. This can lead to serious information leaking, if you a user logs out from an application and someone else sits to that computer and navigates back in history. A more advanced attacker can even decrypt the browser's cache files and access sensitive information.

To address this issue, you can explicitly set the Cache-Control header in your app with a before filter:

  before_filter :set_as_private

  protected

  def set_as_private
    response.headers['Cache-Control'] = 'no-cache, no-store'
  end

You can call this filter in each controller where you display sensitive information(usually every controller behind authentication). Alternatively, you can ask you users at sign in, whether they are on a public or private computer and set the cache header based on their choice.

Or follow me on Twitter

Follow @gregmolnar

articles Prevent information leaking in Rails

Or follow me on Twitter

I run an indie startup providing vulnerability scanning for your Ruby on Rails app.

Related posts

Customizing Omarchy with Ruby

Ore, a Bundler-compatible gem manager

Ruby Triathlon 2025

On RubyCentral and Rubygems

Rails CVE-2025-55193 and CVE-2025-24293