Cache Control Header
Description
The HTTP 'Cache-Control' header is used to specify directives for caching mechanisms. The server did not return (or returned an invalid) 'Cache-Control' header, which means pages containing sensitive information could be stored client-side and then be exposed to unauthorized persons.
Remediation
Whenever possible, ensure the Cache-Control HTTP header is set with no-cache, no-store, must-revalidate, and that the pragma HTTP header is set with no-cache.
GraphQL Specific
Apollo
To mitigate the risk of sensitive data exposure through caching, ensure that the Apollo server sets appropriate Cache-Control headers. Implement a middleware or use Apollo's built-in support to set the Cache-Control header to no-store for responses containing sensitive information, preventing them from being stored in the cache of the client's browser or intermediate proxies. This can be done by either configuring the Apollo server directly or by setting the headers in the response object within resolvers if using a web framework like Express.js alongside Apollo.
Yoga
To mitigate the risks associated with improper cache control in the Yoga framework engine, it is recommended to set the 'Cache-Control' header appropriately for each response. This can be done by configuring the response headers to include 'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' for responses containing sensitive data, ensuring that such data is not stored in the cache of the client's browser or intermediate proxies. For static assets that do not change frequently and do not contain sensitive information, you can set a longer 'max-age' to improve performance. Always ensure that the cache control policy aligns with the sensitivity and nature of the content being served.
Awsappsync
To mitigate the risk of sensitive data exposure through caching, ensure that the Cache-Control header is set to 'no-store, no-cache' for all responses containing sensitive information in the AWS AppSync framework. This instructs browsers and intermediate caches to not store any part of the response. Additionally, review and implement appropriate caching strategies for your GraphQL APIs to balance performance and security.
Graphqlgo
To mitigate the risk of sensitive data leakage through caching in a GraphQL Go framework, ensure that the HTTP response headers for GraphQL endpoints include appropriate Cache-Control directives. Set the 'Cache-Control' header to 'no-store' to prevent the caching of responses on the client side and any intermediate proxies. This can be implemented by adding middleware to your Go server that sets the header for each outgoing response, particularly for routes serving GraphQL queries and mutations. For example, you can use the 'net/http' package to set the header like this: 'w.Header().Set("Cache-Control", "no-store")', where 'w' is the http.ResponseWriter for the request.
Graphqlruby
In the GraphQL Ruby framework, ensure that you set the 'Cache-Control' header to appropriate values that prevent sensitive information from being stored in cacheable responses. Use the 'before_action' callback in your controllers to set the header, for example: 'response.headers['Cache-Control'] = 'no-store' for actions that return sensitive data. Additionally, consider using the 'max-age' directive to specify the maximum amount of time a response can be cached when appropriate.
Hasura
To mitigate the risk of sensitive data being cached and potentially exposed, ensure that the Hasura GraphQL engine responses are served with appropriate Cache-Control headers. Set the 'Cache-Control' header to 'no-store' for responses containing sensitive information to prevent them from being stored in the cache of the client's browser or intermediate proxies. This can be achieved by configuring the web server hosting the Hasura engine or by setting the headers directly in the Hasura console for custom endpoints.
REST Specific
Asp_net
In the ASP.NET framework, ensure that all responses containing sensitive information have an appropriate 'Cache-Control' header set. Use the HttpResponse.Cache property to set the cache policy for individual responses. For example, to prevent caching, you can add 'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate' to the header. This can be done by adding the following code to your Page_Load method or in a common method that is called for all page requests: 'Response.Cache.SetCacheability(HttpCacheability.NoCache); Response.Cache.SetNoStore(); Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1)); Response.Cache.SetProxyMaxAge(TimeSpan.Zero);'
Ruby_on_rails
In Ruby on Rails, ensure that you set the 'Cache-Control' header to appropriate values for your responses. Use 'response.headers['Cache-Control'] = 'no-store'' for pages containing sensitive information to prevent them from being cached on the client side.
Next_js
Ensure that your Next.js application sets appropriate 'Cache-Control' headers for responses containing sensitive information. Use the 'res.setHeader()' function in your API routes or getServerSideProps function to set 'Cache-Control' to 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' to prevent sensitive data from being cached on the client side.
Laravel
In Laravel, ensure that responses containing sensitive information have appropriate 'Cache-Control' headers set. Use the 'header' method on the response object to set 'Cache-Control' to 'no-store, no-cache, must-revalidate, post-check=0, pre-check=0' to prevent caching of such responses.
Express_js
In Express.js, ensure that responses containing sensitive information have appropriate Cache-Control headers set. Use the response object's set method to set the header, like res.set('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate'). This prevents the caching of sensitive data on the client side.
Django
In Django, ensure that views serving sensitive information set the 'Cache-Control' header to 'no-store' to prevent caching of potentially sensitive data. This can be done by using the 'cache_control' decorator or middleware to set the appropriate headers. For example, you can use '@cache_control(no_store=True)' on your view functions.
Symfony
In Symfony, ensure that responses containing sensitive information have appropriate 'Cache-Control' headers set. Use the 'Response' object to add cache directives, for example: $response->headers->set('Cache-Control', 'no-cache, no-store, must-revalidate'); Additionally, set 'Pragma' and 'Expires' headers to prevent caching: $response->headers->set('Pragma', 'no-cache'); $response->headers->set('Expires', '0'); This will instruct browsers not to cache the response, protecting sensitive data.
Spring_boot
In Spring Boot, configure the 'Cache-Control' header by implementing a WebMvcConfigurer and overriding the addInterceptors method. Use the 'addHeader' method of the HttpServletResponse to set the 'Cache-Control' directives appropriately, such as 'no-cache, no-store, must-revalidate' for sensitive pages. Additionally, consider using the @CacheControl annotation at the controller level where applicable.
Flask
In Flask, ensure that responses containing sensitive information have the 'Cache-Control' header set with appropriate directives. Use 'flask.make_response()' to create a response object and then set the header using 'response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'. This prevents the caching of sensitive data on the client side.
Nuxt
In Nuxt.js, ensure that all sensitive pages set the 'Cache-Control' header to 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' to prevent the caching of sensitive information. This can be done by using the 'nuxtServerInit' action or middleware to set the headers appropriately for each request.
Fastapi
In the FastAPI framework, ensure that responses containing sensitive information have appropriate Cache-Control headers set. Use the 'Response' class to add the 'Cache-Control' header with directives such as 'no-store' to prevent caching of sensitive data. For example, you can include the header in your endpoint function like this: response.headers['Cache-Control'] = 'no-store, max-age=0'. This will instruct the client's browser not to cache the response, mitigating the risk of sensitive information being stored and potentially exposed.
Configuration
Identifier:
protocol/header_cache_control
Examples
Ignore this check
checks:
protocol/header_cache_control:
skip: true
Score
- Escape Severity: LOW
Compliance
- OWASP: API7:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: SC-28