| VID |
210181 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
* References:
https://www.owasp.org/index.php/Cache_Poisoning
* Platforms Affected:
Any operating system Any version |
| Recommendation |
* Define the following in Apache's httpd.conf file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' ; img-src 'self'; style-src 'self' 'unsafe-inline';connect-src http:; child-src 'unsafe-inline'"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1;mode=block"
Header set Cache-Control "no-store"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
</IfModule>
*WAS sends a header to the response using a filter.
response.setHeader("Cache-Control","no-store");
response.setHeader("Pragma","no-cache"); |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
