Missing Cache-Control

The page this finding was found on will be cached as there are no headers to prevent caching. This becomes a problem when the page is behind authorization. If the web traffic goes through a proxy (a common corporate setup) it may be cached there, and when someone else visits the page without logging in they may be served the authorized page.

This finding should only occur on pages behind some kind of authorization. If that is not the case, please report it as a False Positive and our developers will look at it.

What can happen?

An attacker could access data intended only for the logged in user. This includes all kinds of details or data.

Please observe this is just about reading the data, not executing tasks that require logging in. The impact would be similar to having the attacker stand behind the visitor, looking at all the secret information, without being able to actually execute tasks requiring a login.

Remediation

Utilize the cache-control header and set the value to nocache. More information about the header can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

If you still have any questions about this finding, reach out to [email protected] and we will try to help out!