Architectural Gap: Application Lacks Global Anti-Caching Middleware, Exposing Sensitive Endpoints

A critical architectural vulnerability has been identified within the application's security posture: the complete absence of a global or blueprint-level middleware to enforce anti-caching headers. This systemic gap means that every new endpoint is automatically born vulnerable, placing the onus on individual developers to manually remember and implement security controls. The current protection is dangerously sparse, with only approximately 6% of sensitive endpoints—just 1 out of roughly 16—actively secured against caching risks.

The flaw is rooted in the application's blueprint structure. While all four core blueprints—`api.py`, `admin.py`, `get.py`, and `post.py`—define `before_request` hooks, none implement the necessary `after_request` hooks to add security headers. This architectural oversight is compounded by the lack of any global enforcement mechanism in the foundational `src/asfquart/generics.py`. The result is a fragmented and unreliable security model where protection is the exception, not the rule.

This design failure creates a persistent and expanding attack surface. Without a centralized enforcement layer, the application is perpetually one developer oversight away from exposing sensitive data through client or proxy caches. The vulnerability directly impacts all data handled by the unprotected endpoints, raising significant risks for data confidentiality and integrity. It represents a foundational security debt that must be addressed at the architectural level to prevent systemic data leakage.