Web Cache Security For Your Website

Caching is a method by which website content is stored locally by someone other than the site where the content is hosted. This is often proxies run by ISP's to improve end user performance and decrease bandwidth requirements, or even on the end users machine.

Web Cache Directives and Associated Risks

When done properly, caching can give your site a significant performance boost, as visitors see content served from proxies physically closer to them, relieving your server from having to do the work, or by showing them content they have already viewed immediately.

Certain types of content, however, can be compromised if caching is not done correctly. Imagine the following scenario:

Sally logs onto a dating website, and sees a new message from someone. A few seconds later, Tom, someone across town, pulls up the same page, but sees the message meant for Sally. What happened? The local ISP stored a cached copy of Sally's page, so when Tom tried to view it, the local proxy just sent Tom a copy, believing all was fine. Now Sally's data has been compromised!

A potentially more serious problem involves the incorrect caching of cookies. Imagine a similar scenario as above, but this time not only a page was cached, but also the login cookies which were sent to Sally. Now Tom, just by requesting the page, is logged in as Sally! How could this happen? Similar to the story above, the local proxy thought the cookie should be cached, and returned it to Tom, not realizing that it was a session cookie, used to determine who the user is.

Data or Account Loss

As illustrated in above, this can either be moderate impact leading to potential data loss for your visitors, or high impact leading to account loss.

This is classified as a high impact event if the details being cached are user cookies and a moderate impact event if the data is not cookie related. In the first case, account details can be taken or users impersonated. In the second, data may be lost to unauthorized users.

Revealing personal data or account details can result in serious breach of user trust, and should be corrected immediately.

Prevent Incorrect Web Caching

This vulnerability comes about via sending the wrong caching headers. If you enable default Apache caching, Apache may have decided that every piece of content should be cached. It is up to the web administrator to make sure that data which should not be cached is defined as such. Defining things as not cacheable is a simple process.

To prevent caching, set the following header directives for each piece of content which should not be cached:

Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-control: no-cache, must-revalidate

You can set this in PHP using the header directive, like so:

<?php
  header("Cache-Control: no-cache, must-revalidate"); 	 // HTTP/1.1
  header("Pragma: no-cache");   			 // Just in case
  header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); 	 // Date in the past
?>

You can also consider setting caching directives as private (only stored on the end users computer, but not intermediate proxies) to gain some caching benefits, while protecting against proxies serving the same content to other users. Read some of the links in the resources section to get a flavor of the various directives and how they can be utilized to maximize user privacy and user security.

Additional Resources

Find Insecure Web Cache Settings on your Webserver

Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including cache settings. See how the Golem Scan can help your business today.