What is the correct way to set and test cache control headers?

Question

I am working on my OAuth login endpoint and per the spec I want to make sure that tokens don't get cached in a CDN somewhere. I need these headers set, and in addition I want to check for them in my test suite.

Cache-Control: no-store
Pragma: no-cache

Answer 1

A plug can be used to do this:

defmodule Bouncio.SessionController do
  use Bouncio.Web, :controller

  plug :secure_cache_headers

  ...

  defp secure_cache_headers(conn, _) do
    Plug.Conn.put_resp_header(conn, "cache-control", "no-store, private")
    Plug.Conn.put_resp_header(conn, "pragma", "no-cache")
  end
end

Testing will involve checking conn.resp_headers.