CACHE CONTROLS MISSING

Feature Value
Type Detection
Risk -
Covered by Agent

The browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. When we ask for these pages again, the browser displays them from its cache. This is much faster than downloading the page from the server. Let's consider the particular scenario where a user has logged in to an application with username and password. The user browses the different pages which contain sensitive information. Let's suppose a page with the user's credit card information gets cached in the browser and the user logs out of the application. Now suppose attackers access the same machine and search through the Temporary Internet Files. They will get the credit card details. The attackers do not need to know the username and password of the user to steal the information.

More information

How to solve it

Activate HTTP headers to disable caching of date in browsers or proxies. Hdiv Agent checks responses to find a Cache-Control setting that contains no-store and no-cache. This will dramatically reduce problems related to caching in most modern browsers.

The response header sent from the server has some cache control directives that can be set from your code. These directives control the caching of content on any cache. The directives to be set are Cache-Control : no-cache, no-store and Expires: 0. But since legacy HTTP 1.0 servers do not support the Cache-Control headers, universally, Pragma: no-cache header should be used.

The best way to prevent this issue from occurring in Java EE applications is to add the following setHeader() calls to a servlet filter that is mapped to apply to all pages containing sensitive content:

response.setHeader("Pragma","no-cache");                                   //HTTP 1.0 controls
response.setDateHeader ("Expires", 0);                                     //Prevents caching on proxy servers
response.setHeader("Cache-Control","no-store, no-cache, must-revalidate"); //HTTP 1.1 controls 

If setting headers is not an option, another possibility could be to use meta tags in the HTML sent to the browser:

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate">