Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FAC-D-2023-002 - Caching #3120

Closed
Tracked by #2649
jadudm opened this issue Jan 3, 2024 · 2 comments
Closed
Tracked by #2649

FAC-D-2023-002 - Caching #3120

jadudm opened this issue Jan 3, 2024 · 2 comments
Assignees
@danswick
Labels
compliance Stuff which may relate to a specific requirement or timelines for resolution eng

Comments

@jadudm
Copy link
Contributor

jadudm commented Jan 3, 2024
edited
Loading

https://docs.google.com/spreadsheets/d/1SYLLqrstW3kpR3skRoXrm8tSa6jQF1NvBsR3i37GvsU/edit#gid=565013969

Disable browser caching. Cookies?
@jadudm jadudm mentioned this issue Jan 3, 2024
Closed
@jadudm jadudm changed the title FAC-D-2023-002 - 2023-12-14 FAC-D-2023-002 - Caching Jan 3, 2024
@jadudm jadudm added compliance Stuff which may relate to a specific requirement or timelines for resolution eng labels Jan 3, 2024
@tadhg-ohiggins
Copy link
Contributor

FAC-D-2023-002

This has the following “Weakness description”:

Cacheable HTTPS

Application browser may store a local cached copy of content received from web servers including sensitive content accessed via HTTPS. Sensitive information in the application responses can be stored in the local cache which can be retrieved by other users who have access to the same computer at a future time.

This finding, according to the OWASP testing guidelines, should be applied in reference to specific pages containing sensitive that do not have the appropriate browser cache-control settings; this is the relevant section from the OWASP testing docs:

[C]hecking that for every page that contains sensitive information the server instructed the browser not to cache any data

This finding should enumerate what pages specifically are displaying “sensitive information” that need to be changed to suppress browser caching.

Note that the FAC application does not display any sensitive information during user submission; the only information that might qualify (tribal data marked as private) is in files that users are uploading, which are not part of the cache control domain.

@danswick danswick self-assigned this Jan 25, 2024
@jadudm
Copy link
Contributor Author

jadudm commented Feb 26, 2024

I believe this is part of our comms to the reviewers, and I'm bumping this to closed until further notice, as I do not think we can take further action.

@jadudm jadudm closed this as completed Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danswick danswick

Labels
compliance Stuff which may relate to a specific requirement or timelines for resolution eng
Projects
FAC
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jadudm @danswick @tadhg-ohiggins