Prune headers that don't belong in cache metadata

There is no justifiable reason to put the `authorization` header in the
cache metadata.  Even if we can assume that the cache should not ever be
exposed or leaked, it's a security footgun that is unnecessary.

Some other fields probably should not be cached as well.  We may want to
re-enable storing the npm or Cloudflare session IDs at some point for
debugging, but for now, these are also just excessive.

cache.js

@@ -12,6 +12,20 @@ const MinipassPipeline = require('minipass-pipeline')
 
 const MAX_MEM_SIZE = 5 * 1024 * 1024 // 5MB
 
+// some headers should never be stored in the cache, either because
+// they're a security footgun to leave lying around, or because we
+// just don't need them taking up space.
+// set to undefined so they're omitted from the JSON.stringify
+const pruneHeaders = {
+  authorization: undefined,
+  'npm-session': undefined,
+  'set-cookie': undefined,
+  'cf-ray': undefined,
+  'cf-cache-status': undefined,
+  'cf-request-id': undefined,
+  'x-fetch-attempts': undefined
+}
+
 function cacheKey (req) {
   const parsed = new url.URL(req.url)
   return `make-fetch-happen:request-cache:${
@@ -35,6 +49,11 @@ module.exports = class Cache {
     this.Promise = (opts && opts.Promise) || Promise
   }
 
+  static get pruneHeaders () {
+    // exposed for testing, not modifiable
+    return { ...pruneHeaders }
+  }
+
   // Returns a Promise that resolves to the response associated with the first
   // matching request in the Cache object.
   match (req, opts) {
@@ -109,8 +128,14 @@ module.exports = class Cache {
       algorithms: opts.algorithms,
       metadata: {
         url: req.url,
-        reqHeaders: req.headers.raw(),
-        resHeaders: response.headers.raw()
+        reqHeaders: {
+          ...req.headers.raw(),
+          ...pruneHeaders
+        },
+        resHeaders: {
+          ...response.headers.raw(),
+          ...pruneHeaders
+        }
       },
       size,
       memoize: fitInMemory && opts.memoize

test/cache.js

@@ -121,8 +121,14 @@ test('put method', (t) => {
         algorithms: undefined,
         metadata: {
           url: `${HOST}/put-test`,
-          reqHeaders: req.headers.raw(),
-          resHeaders: initialResponse.headers.raw()
+          reqHeaders: {
+            ...req.headers.raw(),
+            ...Cache.pruneHeaders
+          },
+          resHeaders: {
+            ...initialResponse.headers.raw(),
+            ...Cache.pruneHeaders
+          }
         },
         size: CONTENT.length,
         memoize: undefined
@@ -160,8 +166,14 @@ test('put method', (t) => {
         algorithms: undefined,
         metadata: {
           url: `${HOST}/put-test`,
-          reqHeaders: req.headers.raw(),
-          resHeaders: initialResponse.headers.raw()
+          reqHeaders: {
+            ...req.headers.raw(),
+            ...Cache.pruneHeaders
+          },
+          resHeaders: {
+            ...initialResponse.headers.raw(),
+            ...Cache.pruneHeaders
+          }
         },
         size: null,
         memoize: false