漏洞修复:Cache Management: Insecure Policy

戚高洁
2023-12-01

描述

WebInspect has detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy. An unsafe specification such as Cache-Control: public instructs the browser to persistently cache the content on the hard drive. Cache-Control with no-store in the value must be set to prevent browsers from persisting content. Browsers and intermediate proxies will still persists with the no-cache directive. However, they will revalidate the content with the server before serving content from cache. The private directive prevents intermediate proxies from caching content and can be used in addition to no-store. Missing Cache-Control policy header results in browsers caching content regardless of whether it is served over HTTP or HTTPS.

Cache-Control: no-store

解决方案

在location或者server中添加
add_header Cache-Control no-store;
或者
add_header Cache-Control no-cache;
或者
add_header Cache-Control private;
看漏洞提示以及扫描的地址选择加哪个以及加在location还是server中,我这边加的是no-store
例如:

location  /xx/xx{
	add_header Cache-Control no-store;
}

参考

https://vulncat.fortify.com/en/detail?id=desc.dynamic.xtended_preview.cache_management_insecure_policy

https://www.cnblogs.com/kevingrace/p/10459429.html

https://blog.csdn.net/hxg117/article/details/81236190

 类似资料: