This article is a part of our Web Security Knowledge Base (back to index)
Why Incomplete or No Cache-control and Pragma HTTP Header Set can be dangerous
Even after the session has been closed, it might be possible to access the private or sensitive data exchanged within the session through the web browser or proxy cache.
The ‘Cache-control’ HTTP header holds instructions for caching in both requests and responses. The ‘Pragma’ header is used for backwards compatibility with HTTP/1.0 where the ‘Cache-control’ header is not yet presented.
How to fix Incomplete or No Cache-control and Pragma HTTP Header Set
Make sure the ‘Cache-control’ HTTP header is set with ‘no-cache, no-store, must-revalidate’ and the ‘Pragma’ header is set to ‘no-cache’ on HTTP response where possible.
Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache
How does ScanRepeat report Incomplete or No Cache-control and Pragma HTTP Header Set
ScanRepeat analyzes every HTTP response checking whether it should contain HTTP ‘Cache-control’ header and reports every occurrence of it missing or being incomplete. The ‘Pragma’ header is reported incomplete when it is present in the HTTP response and it’s value differs from ‘no-cache’. ScanRepeat report includes HTTP requests URLs of every discovered misconfiguration of ‘Cache-control’ and ‘Pragma’ headers along with their incorrect values.
Would you like to test your application now against this problem? Sign up for our free trial