Protocol: Cache Control Header¶
Identifier:
header_cache_control
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
When web content contains sensitive information, it's crucial to tell browsers and other caching mechanisms not to store that data. If a website doesn't set a proper Cache-Control header, browsers might save pages that should stay private, potentially leaving sensitive data exposed.
How we test: We analyze HTTP response headers to detect if the Cache-Control header is missing or misconfigured. We check if sensitive pages are properly marked to prevent caching and if cache directives are correctly set to protect confidential information.
References:
- https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.