Authentication-Specific Security Headers
Authentication-Specific Security Headers
Clear-Site-Data: Clears browser data on logout
// Comprehensive logout with Clear-Site-Data
app.post('/logout', (req, res) => {
// Destroy server-side session
req.session.destroy((err) => {
if (err) {
console.error('Session destruction error:', err);
}
// Clear client-side data
res.setHeader('Clear-Site-Data', '"cache", "cookies", "storage"');
// Additional cleanup headers
res.setHeader('Cache-Control', 'no-store');
res.setHeader('Pragma', 'no-cache');
// Clear specific cookies
res.clearCookie('sessionId', {
secure: true,
httpOnly: true,
sameSite: 'strict'
});
res.json({ message: 'Logged out successfully' });
});
});
WWW-Authenticate: Challenges for authentication
// Custom authentication middleware
function requireAuth(req, res, next) {
const authHeader = req.headers.authorization;
if (!authHeader) {
res.setHeader('WWW-Authenticate', 'Bearer realm="API", charset="UTF-8"');
return res.status(401).json({ error: 'Authentication required' });
}
const token = authHeader.split(' ')[1];
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = decoded;
next();
} catch (error) {
res.setHeader('WWW-Authenticate',
'Bearer realm="API", error="invalid_token", error_description="Token expired or invalid"'
);
return res.status(401).json({ error: 'Invalid authentication' });
}
}