Missing 'Cache-Control' Header

low Web App Scanning Plugin ID 112553

Language:

Synopsis

Missing 'Cache-Control' Header

Description

The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms.

The server did not return or returned an invalid 'Cache-Control' header which means page containing sensitive information (password, credit card, personal data, social security number, etc) could be stored on client side disk and then be exposed to unauthorised persons. This URL is flagged as a specific example.

Solution

Configure your web server to include a 'Cache-Control' header with appropriate directives. If page contains sensitive information 'Cache-Control' value should be 'no-store' and 'Pragma' header value should be 'no-cache'.

See Also

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

https://www.owasp.org/index.php/Testing_for_Browser_cache_weakness_(OTG-AUTHN-006)

Plugin Details

Severity: Low

ID: 112553

Type: remote

Family: HTTP Security Header

Published: 2/15/2019

Updated: 3/25/2024

Scan Template: api, basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 525

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A4

WASC: Application Misconfiguration

CAPEC: 37

DISA STIG: APSC-DV-002480

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-8.2.1

PCI-DSS: 3.2-2.2