No caching policy¶

Sensitive resources are not cached? Yes / No

The front-end web server and web browsers cache pages and documents by default. Sensitive pages and downloads should have explicit no caching headers present.

Thread models include:

A caching front-end web server may lead user sessions when the HTTP response with a private cookie is accidentally cached.
The user device is compromised and sensitive information is extracted from the browser cache.

Generally, special attention should be paid to HTTP responses like:

Generated image, audio, video and other media downloads
Document downloads (Office files, PDF, CSV, TXT)

Links:

The Security Impact of HTTP Caching Headers (SANS ISC InfoSec)

Read the Docs v: latest

Versions: latest

Downloads: pdf; htmlzip; epub

On Read the Docs: Project Home; Builds

Free document hosting provided by Read the Docs.