Missing or Insecure Cache-Control Header

Description

Web cache or HTTP cache is a system used to optimize web performance. Browsers cache the contents of a resource to reuse it on subsequent requests, which can improve page load times by caching images and other static resources. However, it’s crucial to prevent clients from caching pages that contain sensitive, dynamic, or user-specific content to avoid information disclosure.

Recommendation

To prevent caching of sensitive or dynamic content, ensure that the appropriate Cache-Control headers are set. You can use one of the following headers:

• Cache-Control: no-cache, no-store
• Cache-Control: max-age=0, must-revalidate
• Cache-Control: private

References

• OWASP: Session Management Cheat Sheet
• CWE-16
• CWE-200
• CWE-525
• CAPEC-118
• OWASP 2021-A5

Related Issues

• Content-Security-Policy Header is Missing - Vulnerability
• Referrer-Policy Header is Missing - Vulnerability
• Strict-Transport-Security Header is Missing - Vulnerability
• X-Content-Type-Options Header is Missing - Vulnerability

Tags:

HTTP Headers

Information Disclosure

Application Misconfiguration