Correct usage of Cache-Control / pragma for caching static assets

[TeeWeTee]

I ran ZAP and it did flag several instances of "Incomplete or No Cache-control and Pragma HTTP Header Set".

The requests we didn't want cached were easily fixed by adding "Cache-Control: no-cache, no-store, must-revalidate" and everything is fine. (Although there is currently some discussion whether this still is the recommended solution, but that's not the question right now).

There are however some resources (called static assets) which should be cached in our case. Specifically css, js, image files etc. Now I followed the recommendation for caching static assets by using "Cache-Control: public, max-age=600, immutable" (and did not set pragma). However ZAP still reports "Incomplete or No Cache-control and Pragma HTTP Header Set" for these static assets. In the description it states:

Description: The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

Evidence: public, max-age=600, immutable

Solution: Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Is this a false positive? Because in certain cases it makes sense to cache ;-)

PS: Additionally there is only one link in the description which isn't helpful. An additional link to the MDN site would be good.

[kingthorin+owaspzap]

Of course it's up to the end user/analyst to decide if an alert is applicable to a given piece of content.

You can also address them going forward by using Alert Filters https://www.zaproxy.org/docs/desktop/addons/alert-filters/