Multi-tenant caching and auth privacy hardening
FixWeek of May 31, 2026
Two small security and privacy fixes shipped together.
- Sitemap cache isolation — the community sitemap response now includes
Vary: Host, ensuring that any shared HTTP cache (CDN edge node, reverse proxy) keys the cached response to the specific community hostname. Without this, a cache could mistakenly return Community A’s sitemap to a request from Community B’s domain. - Login pages never cached — the advocate and community login flows now send
Cache-Control: no-store, preventing browsers and proxies from storing pages that may contain session-sensitive content.
No admin action required.