Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list

AEMaCS Author: Prevent the caching of sensitive data in browser

Avatar

Level 1

16-02-2023

Request for Feature Enhancement (RFE) Summary:

Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user)

Use-case: AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache.
Current/Experienced Behavior: The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there.
Improved/Expected Behavior:

Set the following caching directives for any response which contains sensitive information.

Pragma: no-cache

Cache-Control: no-cache

Cache-Control: no-store

Most web browsers and proxy servers respect these directions and will not write data into their cache store.

Environment Details (AEM version/service pack, any other specifics if applicable): AEMaCS Author
Customer-name/Organization name:  
Screenshot (if applicable): cache-issue.jpg

Code package (if applicable):  
2 Comments

Avatar

Administrator

23-02-2023

@Nelya-M 

Thanks for proposing this idea

This has been reported to the engineering under the internal reference SITES-11909. The product team will triage this request to verify feasibility based on the prioritization model. This post will be updated according to the Jira request status.

Status changed to: Investigating

Avatar

Level 1

24-02-2023

Hi @kautuk_sahni ,

 

Thank you for the prompt reaction and addressing the issue to the engineering, looking for updates and possible timeline.

 

Best regards