DEV Community

Roel
Roel

Posted on

2 1

Remember to set Cache-Control headers on your secured pages

Last week we had a production issue about a potential data leak.

When users would logout of their profile they could navigate back and view the pages as if they were logged in. This could be potentially harmful when you are on a public or shared computer. Obviously you should trust the website that the logout button forgets all trace of you ever logging in.

After a short investigation we found that an update a couple days prior removed the Cache-Control header.

It should be set to something like this:

cache-control example

There are 3 main options to set in cache-control:
no-store
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2
This is the most strict option of all. It tells the browser to not store any response or request in the cache at all.

no-cache
This tells the browser that it should re-validate the cache with the server before using it again. It doesn't mean that the response isn't stored in the cache.

must-revalidate
This tells the browser that the validation of the cache should happen when the date expired on the cache, using the header 'max-age' value. It doesn't mean that the response is always explicitly validated.

Setting our Cache-Control header to no-store, no-cache we will have no cache in our browser. Now if we logout of our profile and navigate back there is no cached page to return to. This will trigger a 'refresh' like behavior and fore the login page to show.

Our users are safe again! And we didn't even have to update our software.

Image of Docusign

Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay