--- /dev/null
+<?php
+
+namespace Drupal\basic_auth\PageCache;
+
+use Drupal\Core\PageCache\RequestPolicyInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Cache policy for pages served from basic auth.
+ *
+ * This policy disallows caching of requests that use basic_auth for security
+ * reasons. Otherwise responses for authenticated requests can get into the
+ * page cache and could be delivered to unprivileged users.
+ */
+class DisallowBasicAuthRequests implements RequestPolicyInterface {
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check(Request $request) {
+ $username = $request->headers->get('PHP_AUTH_USER');
+ $password = $request->headers->get('PHP_AUTH_PW');
+ if (isset($username) && isset($password)) {
+ return self::DENY;
+ }
+ }
+
+}