Incomplete or No Cache-control and Pragma HTTP Header Set warning
2,320 views
Skip to first unread message
Mark Kudryk
Apr 19, 2016, 11:01:12 AM4/19/16
to OWASP ZAP User Group
Hi,
In the app I'm testing ZAP has flagged many of our response with a low risk warning of "Incomplete or No Cache-control and Pragma HTTP Header Set warning". ZAP suggests the following solution: "Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate, private; and that the pragma HTTP header is set with no-cache." If no-store is specified, why are the other headers required?
When I read the HTTP 1.1 spec, my understanding from sections 14.9 - 14.9.2 is if no-store is specified, then responses must not be cached (shared or non-shared); caching is off, therefore the need to specify no-cache, private, etc. is obviated. Google developers published a diagram on optimal caching policy which appears to confirm my understanding of the spec: if no-store is specified nothing else is needed.
Have I missed something from ZAP's perspective?
Thanks in advance,
Mark
kingthorin+owaspzap
Apr 19, 2016, 2:52:28 PM4/19/16
to OWASP ZAP User Group
I believe the thing here is that per spec no-store is intended to behave as you've outlined. However, in practice (or "in the wild") various browsers and caches have been found non-compliant with the spec therefore a more all inclusive set of cache prevention directives are suggested. Keep in mind this is intended to address not only client (browser) cache, but also intermediate caches as well.
kingthorin+owaspzap
Apr 19, 2016, 3:06:09 PM4/19/16
to OWASP ZAP User Group
Two other things to note:
1) There's an alpha quality passive scanner that attempts to Detect "storable" and "cacheable" reponses:
https://github.com/zaproxy/zap-extensions/blob/alpha/src/org/zaproxy/zap/extension/pscanrulesAlpha/CacheableScanner.java
(Which uses a different approach than the CacheControl release quality rule you're talking about: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/CacheControlScanner.java)
2) You can grab the Context Alert Filters addon from the Marketplace and use it to reclassify findings in bulk (as you scan) if necessary:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter
1) There's an alpha quality passive scanner that attempts to Detect "storable" and "cacheable" reponses:
https://github.com/zaproxy/zap-extensions/blob/alpha/src/org/zaproxy/zap/extension/pscanrulesAlpha/CacheableScanner.java
(Which uses a different approach than the CacheControl release quality rule you're talking about: https://github.com/zaproxy/zap-extensions/blob/master/src/org/zaproxy/zap/extension/pscanrules/CacheControlScanner.java)
2) You can grab the Context Alert Filters addon from the Marketplace and use it to reclassify findings in bulk (as you scan) if necessary:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter
Reply all
Reply to author
Forward
0 new messages