AEMaCS Author: Prevent the caching of sensitive data in browser
| Request for Feature Enhancement (RFE) Summary: |
Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user) |
| Use-case: | AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache. |
| Current/Experienced Behavior: | The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there. |
| Improved/Expected Behavior: |
Set the following caching directives for any response which contains sensitive information. Pragma: no-cache Cache-Control: no-cache Cache-Control: no-store Most web browsers and proxy servers respect these directions and will not write data into their cache store. |
| Environment Details (AEM version/service pack, any other specifics if applicable): | AEMaCS Author |
| Customer-name/Organization name: | |
| Screenshot (if applicable): | 
|
| Code package (if applicable): |
3 Comments
