No caching policy¶
Sensitive resources are not cached? Yes / No
The front-end web server and web browsers cache pages and documents by default. Sensitive pages and downloads should have explicit no caching headers present.
Thread models include:
- A caching front-end web server may lead user sessions when the HTTP response with a private cookie is accidentally cached.
- The user device is compromised and sensitive information is extracted from the browser cache.
Generally, special attention should be paid to HTTP responses like:
- Generated image, audio, video and other media downloads
- Document downloads (Office files, PDF, CSV, TXT)
Links: