Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

AEMaCS Author: Prevent the caching of sensitive data in browser

Avatar

Level 1

2/16/23

Request for Feature Enhancement (RFE) Summary:

Prevent the browser caching of (potentially) sensitive data (e.g. some personal data of the logged-in user)

Use-case: AEMaCS Author sets the Cache-Control header with a directive that does not prevent the caching of sensitive data in the user’s browser. An attacker gaining access to the browser of a user with which sensitive information has been retrieved can get insights into the data by reading the cache.
Current/Experienced Behavior: The application does not prevent the caching of (potentially) sensitive data. In the responses, the value of the Cache-Control header is set to ”no-cache”, as can be seen in the following screen- shot (please check the attached report.) The “no-cache” instruction only ensures that the browser validates that the content is up-to-date on the server before using the cache. A look into the browser cache shows that sensitive data (e.g. some personal data of the logged-in user) is stored there.
Improved/Expected Behavior:

Set the following caching directives for any response which contains sensitive information.

Pragma: no-cache

Cache-Control: no-cache

Cache-Control: no-store

Most web browsers and proxy servers respect these directions and will not write data into their cache store.

Environment Details (AEM version/service pack, any other specifics if applicable): AEMaCS Author
Customer-name/Organization name:  
Screenshot (if applicable): cache-issue.jpg

Code package (if applicable):  
3 Comments

Avatar

Administrator

2/23/23

@Nelya-M 

Thanks for proposing this idea

This has been reported to the engineering under the internal reference SITES-11909. The product team will triage this request to verify feasibility based on the prioritization model. This post will be updated according to the Jira request status.

Status changed to: Investigating

Avatar

Level 1

2/24/23

Hi @kautuk_sahni ,

 

Thank you for the prompt reaction and addressing the issue to the engineering, looking for updates and possible timeline.

 

Best regards