Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user)
AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache.
The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there.
Set the following caching directives for any response which contains sensitive information.
Most web browsers and proxy servers respect these directions and will not write data into their cache store.
Environment Details (AEM version/service pack, any other specifics if applicable):