Incomplete or No Cache-control and Pragma HTTP Header Set
Reference
Plugin Id: 10015 | CWE: 525
Remediation
To properly set the cache-control and pragma HTTP headers, follow these steps:
-
Cache-Control Header: Set the cache-control header to specify caching directives for both the browser and intermediate proxies. This can be done by adding the following line to the server configuration file:
Header set Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate"
This configuration will prevent caching of the content by both the browser and any intermediate proxies.
-
Pragma Header: Set the pragma header to prevent caching by older HTTP/1.0 proxies. Add the following line to the server configuration file:
Header set Pragma "no-cache"
This configuration will ensure that older proxies do not cache the content.
-
Testing: After making these changes, it is important to test the website to ensure that the cache-control and pragma headers are set correctly. Use browser developer tools or online tools to check the headers of the website’s responses.
About
The vulnerability “Incomplete or No Cache-control and Pragma HTTP Header Set” occurs when the cache-control and pragma HTTP headers are not set properly or are missing. These headers are used to control caching behavior in the browser and intermediate proxies. When these headers are not set correctly, the browser and proxies may cache the content, which can lead to security and privacy issues.
Risks
The risks associated with incomplete or no cache-control and pragma HTTP header set vulnerability include:
- Caching Sensitive Information: If sensitive information is cached by the browser or intermediate proxies, it can be accessed by unauthorized users.
- Data Leakage: Caching sensitive data can lead to data leakage if the cached content is accessed by other users or if the device is lost or stolen.
- Outdated Content: If the content is cached and not updated regularly, users may see outdated information, which can lead to confusion or incorrect actions.
- Privacy Concerns: Caching personal or private information can violate user privacy, especially if the cached content is accessible to other users or stored on shared devices.