Add default Cache-Control header to all responses.

[jwag956]

As a default we use Cache-Control: private no-store private is the minimum required to ensure that no responses get cached in a shared cache. no-store goes further and requests that responses aren't cached at all - even at the browser. Note that some browsers (e.g. Chrome) have recently started, in some instances, to ignore no-store.

Flask-Security endpoints send and receive very little data - so not caching them shouldn't affect performance. As enumerated in issue #1178 - there are very few current APIs that return any sensitive information as part of a GET request that if allowed to be cached in a shared cache would enable information leaking. At least one place is in the case of using Authorization-Tokens, no sessions/session cookies. A GET /login from an authenticated user could return sensitive info that could be cached.

closes #1178

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.52%. Comparing base (d88f787) to head (bbd6e72).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1180   +/-   ##
=======================================
  Coverage   98.52%   98.52%           
=======================================
  Files          40       40           
  Lines        5026     5033    +7     
=======================================
+ Hits         4952     4959    +7     
  Misses         74       74           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.