Security Test: Cache Control Header¶

Description¶

Default Severity:

When web content contains sensitive information, it's crucial to tell browsers and other caching mechanisms not to store that data. If a website doesn't set a proper Cache-Control header, browsers might save pages that should stay private, which can leave sensitive data exposed to anyone who gains access to the device. The vulnerability happens when developers overlook or misconfigure the header, causing potentially confidential pages to be cached. The risk is that sensitive info, like personal data or secure transactions, becomes retrievable even after a user has logged out or closed the browser, leading to privacy breaches or unauthorized data access.

Reference:

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Identifier: protocol/header_cache_control

Examples¶

All configuration available:

checks:
  protocol/header_cache_control:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`SC-28`
CWE	`524`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`