You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We observed 4 pages which had the following insufficient cache control configurations:
/sqli/mysql
/sqli/
/command_injection/
/
Risk
By default, web browsers and proxies aggressively cache web content, including pages as well as their static content. In response to the given URL(s), the application doesn't effectively inform the browsers to not save this content on the client side.
Recommendation to fix this finding
There are a couple ways in the HTTP response to tell the browser and any intervening proxies to not cache this data. Given the
ever increasing number of browser and proxy version permutations, keeping up to date with what browser or proxy requires
what cache control is hard, and thus our recommendation is to issue a combination of caching controls in
order to properly inform user agents of different types of the application's intentions.
Issuing only a subset of these controls guarantees that some version of some browser or proxy will retain the page data when it shouldn't.
The http module's https://nodejs.org/api/http.html#http_class_http_serverresponse$$LINK_DELIM$$ServerResponse
class exposes a setHeader(name, value) function which can be used to add these response headers to control caching:
response.header('Cache-Control', 'private, no-store, no-cache, must-revalidate'); // HTTP 1.1 controls
response.header('Pragma', '-1'); // HTTP 1.0 controls
response.header('Expires', '0'); // prevents caching on proxy servers
At a minimum, Contrast expects to see a Cache-Control setting that contains no-store and no-cache. This will alleviate client-side browser caching
concerns in modern browsers. This control can be delivered with a setHeader() call or
a <meta> tag.
The text was updated successfully, but these errors were encountered:
Trace UUID: OURS-EJMY-A36N-8G1Z
https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/OURS-EJMY-A36N-8G1Z/overview
Description
We observed 4 pages which had the following insufficient cache control configurations:
Risk
By default, web browsers and proxies aggressively cache web content, including pages as well as their static content. In response to the given URL(s), the application doesn't effectively inform the browsers to not save this content on the client side.
Recommendation to fix this finding
There are a couple ways in the HTTP response to tell the browser and any intervening proxies to not cache this data. Given the
ever increasing number of browser and proxy version permutations, keeping up to date with what browser or proxy requires
what cache control is hard, and thus our recommendation is to issue a combination of caching controls in
order to properly inform user agents of different types of the application's intentions.
Issuing only a subset of these controls guarantees that some version of some browser or proxy will retain the page data when it shouldn't.
The http module's https://nodejs.org/api/http.html#http_class_http_serverresponse$$LINK_DELIM$$ServerResponse
class exposes a
setHeader(name, value)function which can be used to add these response headers to control caching:response.header('Cache-Control', 'private, no-store, no-cache, must-revalidate'); // HTTP 1.1 controls
response.header('Pragma', '-1'); // HTTP 1.0 controls
response.header('Expires', '0'); // prevents caching on proxy servers
If using the Express framework, the https://www.npmjs.com/package/helmet$$LINK_DELIM$$helmet middleware can be used to set an app's response headers:
var express = require('express');
var helmet = require('helmet');
var app = express();
app.use(helmet.noCache());
If setting headers is difficult in your infrastructure, you can also simulate them via
metatags in the HTML sent to the browser:<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
At a minimum, Contrast expects to see a
Cache-Controlsetting that containsno-storeandno-cache. This will alleviate client-side browser cachingconcerns in modern browsers. This control can be delivered with a
setHeader()call ora
<meta>tag.The text was updated successfully, but these errors were encountered: