Security Research
Showing results for 
Search instead for 
Do you mean 

Browser Caching Demystified

yoneil ‎08-07-2013 01:21 PM - edited ‎08-08-2013 11:13 AM

Last weekend Las Vegas welcomed DEFCON 21 – one of the biggest hacker conventions in the world. I enjoyed it immensely and thought that the quality of presented material was much better than the talks from the last couple of years. This year, DEFCON had several themes, one of which was privacy. One of the talks that caught my attention (in fact, it was the last talk of the convention) was a 20-minute presentation on browser caching – an eye-opening experience for me and an exemplary illustration of the DEFCON’s privacy theme.

 

Jacob Thompson from Independent Security Evaluators wen over his case study that discusses page caching policies implemented in current browsers and identifies a number of web sites that cache sensitive information delivered over HTTPS on disk.

 

The table below provides a quick summary of browser behavior with respect to caching pages delivered over HTTPS.

 

 

IE

Firefox   pre 4.0

Firefox   post 4.0

Chrome

Safari

Default behavior

Cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: no-store

Don’t cache

Don’t cache

Don’t cache

Don’t cache

Don’t cache

The HTTP header Cache-Control: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: public

Cache

Cache

Cache

Cache

Don’t cache

The HTTP header Pragma: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTML tag <META HTTP-EQUIV="Pragma"

CONTENT="no-cache">

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

 

In general, there are three main ways to prevent caching:

  1. By specifying the Cache-Control header
  2. By specifying the Pragma header, and
  3. By specifying the Pragma meta tag.

Only “Cache-Control: no-store” is actually standard and correctly implemented in all the browsers. Therefore, the best advice to web application developers is to always use “Cache-Control: no-store” for content that should not be cached. And if you get it wrong, our HP WebInspect solution can come in handy.

0 Kudos
About the Author

yoneil

Labels
Events
27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all