Cache Control Header¶

Description¶

The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms. The server did not return (or returned an invalid) 'Cache-Control' header, which means pages containing sensitive information could be stored client-side and then be exposed to unauthorized persons.

Remediation¶

Whenever possible, ensure the Cache-Control HTTP header is set with no-cache, no-store, must-revalidate, and that the pragma HTTP header is set with no-cache.

GraphQL Specific¶

Apollo

To mitigate the risk of sensitive data exposure through caching, ensure that the Apollo server sets appropriate `Cache-Control` headers. Implement a middleware or use Apollo's built-in support to set the `Cache-Control` header to `no-store` for responses containing sensitive information, preventing them from being stored in the cache of the client's browser or intermediate proxies. This can be done by either configuring the Apollo server directly or by setting the headers in the response object within resolvers if using a web framework like Express.js alongside Apollo.

Yoga

To mitigate the risks associated with improper cache control in the Yoga framework engine, it is recommended to set the 'Cache-Control' header appropriately for each response. This can be done by configuring the response headers to include 'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' for responses containing sensitive data, ensuring that such data is not stored in the cache of the client's browser or intermediate proxies. For static assets that do not change frequently and do not contain sensitive information, you can set a longer 'max-age' to improve performance. Always ensure that the cache control policy aligns with the sensitivity and nature of the content being served.

Awsappsync

To mitigate the risk of sensitive data exposure through caching, ensure that the Cache-Control header is set to 'no-store, no-cache' for all responses containing sensitive information in the AWS AppSync framework. This instructs browsers and intermediate caches to not store any part of the response. Additionally, review and implement appropriate caching strategies for your GraphQL APIs to balance performance and security.

Graphqlgo

To mitigate the risk of sensitive data leakage through caching in a GraphQL Go framework, ensure that the HTTP response headers for GraphQL endpoints include appropriate Cache-Control directives. Set the 'Cache-Control' header to 'no-store' to prevent the caching of responses on the client side and any intermediate proxies. This can be implemented by adding middleware to your Go server that sets the header for each outgoing response, particularly for routes serving GraphQL queries and mutations. For example, you can use the 'net/http' package to set the header like this: 'w.Header().Set("Cache-Control", "no-store")', where 'w' is the http.ResponseWriter for the request.

Graphqlruby

In the GraphQL Ruby framework, ensure that you set the 'Cache-Control' header to appropriate values that prevent sensitive information from being stored in cacheable responses. Use the 'before_action' callback in your controllers to set the header, for example: 'response.headers['Cache-Control'] = 'no-store' for actions that return sensitive data. Additionally, consider using the 'max-age' directive to specify the maximum amount of time a response can be cached when appropriate.

Hasura

To mitigate the risk of sensitive data being cached and potentially exposed, ensure that the Hasura GraphQL engine responses are served with appropriate Cache-Control headers. Set the 'Cache-Control' header to 'no-store' for responses containing sensitive information to prevent them from being stored in the cache of the client's browser or intermediate proxies. This can be achieved by configuring the web server hosting the Hasura engine or by setting the headers directly in the Hasura console for custom endpoints.

Agoo

Ensure the Agoo framework engine is configured to include a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Ariadne

Ensure the 'Cache-Control' header is correctly implemented in the Ariadne framework engine to prevent sensitive information from being cached client-side. Set appropriate directives such as 'no-store' or 'private' to enhance security.

Caliban

Ensure the Caliban framework engine includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Dgraph

Ensure that the HTTP 'Cache-Control' header is properly configured in the Dgraph framework to prevent sensitive information from being cached client-side. Set appropriate directives such as 'no-store' or 'private' to control caching behavior and protect sensitive data.

Dianajl

Ensure the 'Cache-Control' header is correctly implemented in the DianaJL framework engine to prevent sensitive information from being cached client-side. Set appropriate directives such as 'no-store' or 'private' to enhance security.

Directus

Ensure that the Directus framework is configured to include a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. This can be done by setting appropriate caching directives such as 'no-store' or 'private' in the server configuration or middleware.

Flutter

Ensure that the Flutter framework engine properly implements and configures the 'Cache-Control' header to prevent sensitive information from being cached client-side.

Graphene

Ensure proper implementation of the 'Cache-Control' header in the Graphene framework to prevent sensitive information from being cached client-side. This can be achieved by setting appropriate directives such as 'no-store' or 'private' in the HTTP response headers.

Graphqlapiforwp

Ensure that the GraphQL API for WP framework engine properly implements the 'Cache-Control' header to prevent sensitive data from being cached client-side. Configure the server to return appropriate 'Cache-Control' directives, such as 'no-store' or 'private', for endpoints that handle sensitive information.

Graphqlgophergo

Ensure that the GraphQLGopherGo framework engine properly implements the 'Cache-Control' header to prevent sensitive information from being cached client-side. This can be done by configuring the server to include appropriate 'Cache-Control' directives in the HTTP response headers, such as 'no-store' or 'private', to protect sensitive data from unauthorized access.

Graphqljava

Ensure that the GraphQL Java framework engine is configured to include a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Graphqlphp

Ensure that the GraphQL server in the graphqlphp framework sets appropriate 'Cache-Control' headers to prevent sensitive data from being cached client-side. This can be done by configuring the server to include headers like 'Cache-Control: no-store' or 'Cache-Control: no-cache' for responses containing sensitive information.

Graphqlyoga

Ensure that the GraphQL Yoga server is configured to include a valid 'Cache-Control' header in its HTTP responses to prevent sensitive data from being cached client-side.

Hypergraphql

Ensure the 'Cache-Control' header is correctly configured in the HyperGraphQL framework to prevent sensitive data from being cached client-side. Set appropriate directives such as 'no-store' or 'private' to enhance security.

Jaal

Ensure the 'Cache-Control' header is properly configured in the Jaal framework engine to prevent sensitive information from being cached client-side. Set directives such as 'no-store' or 'private' to control caching behavior and protect data.

Juniper

Ensure the Juniper framework engine returns a valid 'Cache-Control' header to prevent sensitive information from being cached client-side.

Lacinia

Ensure that the server returns a valid 'Cache-Control' header to prevent sensitive information from being cached client-side. Configure the Lacinia framework engine to include appropriate cache directives, such as 'no-store' or 'private', in the HTTP response headers.

Lighthouse

Ensure the server returns a valid 'Cache-Control' header to prevent sensitive information from being cached client-side.

Mercurius

Ensure that the Mercurius framework engine sets appropriate 'Cache-Control' headers to prevent sensitive information from being cached client-side.

Morpheusgraphql

Ensure that the Morpheus GraphQL framework engine includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Qglgen

Ensure proper validation and sanitization of input data in the gqlgen framework to prevent injection vulnerabilities.

Sangria

Ensure proper validation and sanitization of input data in the Sangria GraphQL engine to prevent injection attacks.

Shopify

Ensure that the Shopify app or theme includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. This can be done by configuring the server or using middleware to set appropriate caching directives.

Stepzen

Ensure that the StepZen framework engine includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. Configure the server to specify appropriate caching directives, such as 'no-store' or 'private', to enhance security and protect sensitive data.

Strawberry

Ensure that the Strawberry framework engine includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. Configure the server to set appropriate directives such as 'no-store' or 'private' for pages containing sensitive data.

Tartiflette

Ensure that the Tartiflette engine is configured to include a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Wpgraphql

Ensure that the 'Cache-Control' header is properly configured in the wpgraphql framework to prevent sensitive information from being cached client-side. This can be done by setting appropriate directives such as 'no-store' or 'private' to control how responses are cached and accessed.

REST Specific¶

Asp_net

In the ASP.NET framework, ensure that all responses containing sensitive information have an appropriate 'Cache-Control' header set. Use the HttpResponse.Cache property to set the cache policy for individual responses. For example, to prevent caching, you can add 'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate' to the header. This can be done by adding the following code to your Page_Load method or in a common method that is called for all page requests: 'Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetNoStore(); Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); Response.Cache.SetProxyMaxAge(TimeSpan.Zero);'

Ruby_on_rails

In Ruby on Rails, ensure that you set the 'Cache-Control' header to appropriate values for your responses. Use 'response.headers['Cache-Control'] = 'no-store'' for pages containing sensitive information to prevent them from being cached on the client side.

Next_js

Ensure that your Next.js application sets appropriate 'Cache-Control' headers for responses containing sensitive information. Use the 'res.setHeader()' function in your API routes or getServerSideProps function to set 'Cache-Control' to 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' to prevent sensitive data from being cached on the client side.

Laravel

In Laravel, ensure that responses containing sensitive information have appropriate 'Cache-Control' headers set. Use the 'header' method on the response object to set 'Cache-Control' to 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0' to prevent caching of such responses.

Express_js

In Express.js, ensure that responses containing sensitive information have appropriate Cache-Control headers set. Use the response object's `set` method to set the header, like `res.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate')`. This prevents the caching of sensitive data on the client side.

Django

In Django, ensure that views serving sensitive information set the 'Cache-Control' header to 'no-store' to prevent caching of potentially sensitive data. This can be done by using the 'cache_control' decorator or middleware to set the appropriate headers. For example, you can use '@cache_control(no_store=True)' on your view functions.

Symfony

In Symfony, ensure that responses containing sensitive information have appropriate 'Cache-Control' headers set. Use the 'Response' object to add cache directives, for example: `$response->headers->set('Cache-Control', 'no-cache, no-store, must-revalidate');` Additionally, set 'Pragma' and 'Expires' headers to prevent caching: `$response->headers->set('Pragma', 'no-cache');` `$response->headers->set('Expires', '0');` This will instruct browsers not to cache the response, protecting sensitive data.

Spring_boot

In Spring Boot, configure the 'Cache-Control' header by implementing a WebMvcConfigurer and overriding the addInterceptors method. Use the 'addHeader' method of the HttpServletResponse to set the 'Cache-Control' directives appropriately, such as 'no-cache, no-store, must-revalidate' for sensitive pages. Additionally, consider using the @CacheControl annotation at the controller level where applicable.

Flask

In Flask, ensure that responses containing sensitive information have the 'Cache-Control' header set with appropriate directives. Use 'flask.make_response()' to create a response object and then set the header using 'response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'. This prevents the caching of sensitive data on the client side.

Nuxt

In Nuxt.js, ensure that all sensitive pages set the 'Cache-Control' header to 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' to prevent the caching of sensitive information. This can be done by using the 'nuxtServerInit' action or middleware to set the headers appropriately for each request.

Fastapi

In the FastAPI framework, ensure that responses containing sensitive information have appropriate Cache-Control headers set. Use the 'Response' class to add the 'Cache-Control' header with directives such as 'no-store' to prevent caching of sensitive data. For example, you can include the header in your endpoint function like this: `response.headers['Cache-Control'] = 'no-store, max-age=0'`. This will instruct the client's browser not to cache the response, mitigating the risk of sensitive information being stored and potentially exposed.

Frappe

Ensure that the server returns a valid 'Cache-Control' header in the Frappe framework to prevent sensitive information from being cached client-side. This can be done by setting appropriate cache control directives in the response headers, such as 'no-store' or 'private', to enhance security and protect sensitive data.

Genzio

Ensure that the Genzio framework engine includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. Configure the server to specify appropriate caching directives, such as 'no-store' or 'private', to protect sensitive data.

Gin

Ensure that the Gin framework sets a valid 'Cache-Control' header by using middleware to add appropriate caching directives to HTTP responses, such as 'no-store' or 'private', to prevent sensitive information from being cached client-side.

Gorilla

Ensure that the Gorilla framework engine sets a valid 'Cache-Control' header to prevent sensitive information from being cached client-side. This can be done by configuring the server to include directives such as 'no-store' or 'private' in the 'Cache-Control' header for pages containing sensitive data.

Hapi

Ensure that the 'Cache-Control' header is properly set in your Hapi.js server responses to prevent sensitive information from being cached. You can do this by using the 'response.header()' method to set appropriate caching directives, such as 'no-store' or 'private', depending on your application's needs.

Hono

Ensure that the server returns a valid 'Cache-Control' header to prevent sensitive information from being cached client-side. Configure the server to include appropriate directives such as 'no-store' or 'private' for pages containing sensitive data.

Jersey

Ensure that the server includes a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side. In the Jersey framework, this can be achieved by setting the 'Cache-Control' header in the response using the ResponseBuilder class or by configuring it globally in the application settings.

Koa

Ensure that the 'Cache-Control' header is correctly set in your Koa application by using middleware to specify appropriate caching directives, such as 'no-store' or 'private', for routes that handle sensitive information.

Ktor

Ensure that the Ktor server sets a valid 'Cache-Control' header by configuring the response pipeline to include appropriate caching directives, such as 'no-store' or 'private', to prevent sensitive information from being cached client-side.

Leptos

Ensure that the Leptos framework server responses include a valid 'Cache-Control' header to prevent sensitive information from being cached client-side.

Macaron

Ensure that the 'Cache-Control' header is correctly set in the Macaron framework to prevent sensitive information from being cached client-side. Use middleware to add appropriate directives such as 'no-store' or 'private' to protect sensitive data.

Phoenix

Ensure that the 'Cache-Control' header is properly set in the Phoenix framework by using the `put_resp_header/3` function to specify appropriate caching directives, such as 'no-store' or 'private', for pages containing sensitive information.

Redwoodjs

Ensure that the HTTP 'Cache-Control' header is correctly set in your RedwoodJS application to prevent sensitive information from being cached client-side. You can do this by configuring your server to include appropriate cache directives, such as 'no-store' or 'no-cache', in the response headers for pages containing sensitive data.

Rocket

Ensure that the Rocket framework is configured to include a valid 'Cache-Control' header in HTTP responses to prevent sensitive information from being cached client-side.

Sveltekit

Ensure that the server in your SvelteKit application returns a valid 'Cache-Control' header by configuring the server response to include appropriate caching directives, such as 'no-store' or 'private', to prevent sensitive information from being cached client-side.

Configuration¶

Identifier: protocol/header_cache_control

Examples¶

Ignore this check¶

checks:
  protocol/header_cache_control:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM06:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: SC-28

Classification¶

CWE: 524

Score¶

CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS_SCORE: 4.3

References¶

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html