Cacheable HTTPS response

Description: Cacheable HTTPS response

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Remediation: Cacheable HTTPS response

Applications should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

• Cache-control: no-store
• Pragma: no-cache

Vulnerability classifications

• CWE-524: Information Exposure Through Caching
• CWE-525: Information Exposure Through Browser Caching

Typical severity

Information

Type index

0x00700100