fix: All responses now contain headers to not cache them

README.md

@@ -267,7 +267,7 @@ func authorizeHandlerFunc(rw http.ResponseWriter, req *http.Request) {
 	// Normally, this would be the place where you would check if the user is logged in and gives his consent.
 	// We're simplifying things and just checking if the request includes a valid username and password
 	if req.Form.Get("username") != "peter" {
-		rw.Header().Set("Content-Type", "text/html; charset=utf-8")
+		rw.Header().Set("Content-Type", "text/html;charset=UTF-8")
 		rw.Write([]byte(`<h1>Login page</h1>`))
 		rw.Write([]byte(`
 			<p>Howdy! This is the log in page. For this example, it is enough to supply the username.</p>

access_error.go

@@ -33,6 +33,8 @@ func (f *Fosite) WriteAccessError(rw http.ResponseWriter, _ AccessRequester, err
 
 func (f *Fosite) writeJsonError(rw http.ResponseWriter, err error) {
 	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 
 	rfcerr := ErrorToRFC6749Error(err)
 	if !f.SendDebugMessagesToClients {

authorize_error.go

@@ -42,7 +42,9 @@ func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequest
 			return
 		}
 
-		rw.Header().Set("Content-Type", "application/json")
+		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
 		rw.WriteHeader(rfcerr.Code)
 		rw.Write(js)
 		return

introspection_response_writer.go

@@ -61,7 +61,9 @@ func (f *Fosite) WriteIntrospectionError(rw http.ResponseWriter, err error) {
 		return
 	}
 
-	rw.Header().Set("Content-Type", "application/json")
+	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 	_ = json.NewEncoder(rw).Encode(struct {
 		Active bool `json:"active"`
 	}{Active: false})
@@ -207,7 +209,9 @@ func (f *Fosite) WriteIntrospectionResponse(rw http.ResponseWriter, r Introspect
 		expiresAt = r.GetAccessRequester().GetSession().GetExpiresAt(AccessToken).Unix()
 	}
 
-	rw.Header().Set("Content-Type", "application/json")
+	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 	_ = json.NewEncoder(rw).Encode(struct {
 		Active    bool     `json:"active"`
 		ClientID  string   `json:"client_id,omitempty"`

revoke_handler.go

@@ -102,6 +102,8 @@ func (f *Fosite) WriteRevocationResponse(rw http.ResponseWriter, err error) {
 	switch errors.Cause(err).Error() {
 	case ErrInvalidRequest.Error():
 		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
 
 		js, err := json.Marshal(ErrInvalidRequest)
 		if err != nil {
@@ -113,6 +115,8 @@ func (f *Fosite) WriteRevocationResponse(rw http.ResponseWriter, err error) {
 		rw.Write(js)
 	case ErrInvalidClient.Error():
 		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
 
 		js, err := json.Marshal(ErrInvalidClient)
 		if err != nil {