Detectify
Knowledge Base

Back to Knowledge Base

Support Center

Missing Cache-Control

Last Updated: Apr 22, 2017 12:35AM CEST

The page this finding was found on will be cached as there are no headers to prevent caching. This becomes a problem when the page is behind authorization. If the web traffic goes through a proxy (a common corporate setup) it may be cached there, and when someone else visits the page without logging in they may be served the authorized page.

This finding should only occur on pages behind some kind of authorization. If that is not the case, please report it as a False Positive and our developers will look at it.

What can happen?

An attacker could access data intended only for the logged in user. This includes all kinds of details or data.

Please observe this is just about reading the data, not executing tasks that require logging in. The impact would be similar to having the attacker stand behind the visitor, looking at all the secret information, without being able to actually execute tasks requiring a login.

Remediation

Utilize the cache-control header and set the value to nocache. More information about the header can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

If you still have any questions about this finding, reach out to support@detectify.com and we will try to help out!

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete