This article is a part of our Web Security Knowledge Base (back to index)

Why Incomplete or No Cache-control and Pragma HTTP Header Set can be dangerous

Even after the session has been closed, it might be possible to access the private or sensitive data exchanged within the session through the web browser or proxy cache.

The ‘Cache-control’ HTTP header holds instructions for caching in both requests and responses. The ‘Pragma’ header is used for backwards compatibility with HTTP/1.0 where the ‘Cache-control’ header is not yet presented.

How to fix Incomplete or No Cache-control and Pragma HTTP Header Set

Make sure the ‘Cache-control’ HTTP header is set with ‘no-cache, no-store, must-revalidate’ and the ‘Pragma’ header is set to ‘no-cache’ on HTTP response where possible.

Example:

Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache

How does ScanRepeat report Incomplete or No Cache-control and Pragma HTTP Header Set

ScanRepeat analyzes every HTTP response checking whether it should contain HTTP ‘Cache-control’ header and reports every occurrence of it missing or being incomplete. The ‘Pragma’ header is reported incomplete when it is present in the HTTP response and it’s value differs from ‘no-cache’. ScanRepeat report includes HTTP requests URLs of every discovered misconfiguration of ‘Cache-control’ and ‘Pragma’ headers along with their incorrect values.

Would you like to test your application now against this problem? Sign up for our free trial

Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free