DEV Community

Roel
Roel

Posted on

Remember to set Cache-Control headers on your secured pages

Last week we had a production issue about a potential data leak.

When users would logout of their profile they could navigate back and view the pages as if they were logged in. This could be potentially harmful when you are on a public or shared computer. Obviously you should trust the website that the logout button forgets all trace of you ever logging in.

After a short investigation we found that an update a couple days prior removed the Cache-Control header.

It should be set to something like this:

cache-control example

There are 3 main options to set in cache-control:
no-store
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2
This is the most strict option of all. It tells the browser to not store any response or request in the cache at all.

no-cache
This tells the browser that it should re-validate the cache with the server before using it again. It doesn't mean that the response isn't stored in the cache.

must-revalidate
This tells the browser that the validation of the cache should happen when the date expired on the cache, using the header 'max-age' value. It doesn't mean that the response is always explicitly validated.

Setting our Cache-Control header to no-store, no-cache we will have no cache in our browser. Now if we logout of our profile and navigate back there is no cached page to return to. This will trigger a 'refresh' like behavior and fore the login page to show.

Our users are safe again! And we didn't even have to update our software.

Discussion (0)