Security Research
Showing results for 
Search instead for 
Do you mean 

Browser Caching Demystified

yoneil ‎08-07-2013 01:21 PM - edited ‎08-08-2013 11:13 AM

Last weekend Las Vegas welcomed DEFCON 21 – one of the biggest hacker conventions in the world. I enjoyed it immensely and thought that the quality of presented material was much better than the talks from the last couple of years. This year, DEFCON had several themes, one of which was privacy. One of the talks that caught my attention (in fact, it was the last talk of the convention) was a 20-minute presentation on browser caching – an eye-opening experience for me and an exemplary illustration of the DEFCON’s privacy theme.

 

Jacob Thompson from Independent Security Evaluators wen over his case study that discusses page caching policies implemented in current browsers and identifies a number of web sites that cache sensitive information delivered over HTTPS on disk.

 

The table below provides a quick summary of browser behavior with respect to caching pages delivered over HTTPS.

 

 

IE

Firefox   pre 4.0

Firefox   post 4.0

Chrome

Safari

Default behavior

Cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: no-store

Don’t cache

Don’t cache

Don’t cache

Don’t cache

Don’t cache

The HTTP header Cache-Control: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: public

Cache

Cache

Cache

Cache

Don’t cache

The HTTP header Pragma: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTML tag <META HTTP-EQUIV="Pragma"

CONTENT="no-cache">

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

 

In general, there are three main ways to prevent caching:

  1. By specifying the Cache-Control header
  2. By specifying the Pragma header, and
  3. By specifying the Pragma meta tag.

Only “Cache-Control: no-store” is actually standard and correctly implemented in all the browsers. Therefore, the best advice to web application developers is to always use “Cache-Control: no-store” for content that should not be cached. And if you get it wrong, our HP WebInspect solution can come in handy.

0 Kudos
About the Author

yoneil

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all