In our application, we didn't set the Cache-Control and Pragma headers to the response and OWASP Scan is throwing Incomplete or No Cache-control and Pragma HTTP Header Set and suggesting to set these parameters and I am not sure whether earlier developers intendedly didn't set this to increase performance in client browsers. Is it necessary to set these parameters to response at server side to overcome the OWASP vulnerability or we can make this as false finding?
Asked
Active
Viewed 1,517 times
0
-
1needs more context; do you want the responses to be cacheable or not? – Julian Reschke Jan 20 '21 at 11:49
1 Answers
0
This appears to be a warning from ZAP:
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
This is not, in general, good advice to follow. Preventing browser caching has performance downsides, is not guaranteed to take effect and may increase server load.
For specific pages with sensitive data, you may wish to prevent caching; How secure page browser cache vulnerability makes web application in secure? explains why you may wish to do this, and How do we control web page caching, across all browsers? explains how.
Joe
- 29,416
- 12
- 68
- 88
-
But ZAP reported this as Low Severity instead of Information which is why I am really concerned about. – Vineel Pellella Jan 22 '21 at 07:29