You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Application browser may store a local cached copy of content received from web servers including sensitive content accessed via HTTPS. Sensitive information in the application responses can be stored in the local cache which can be retrieved by other users who have access to the same computer at a future time.
This finding, according to the OWASP testing guidelines, should be applied in reference to specific pages containing sensitive that do not have the appropriate browser cache-control settings; this is the relevant section from the OWASP testing docs:
[C]hecking that for every page that contains sensitive information the server instructed the browser not to cache any data
This finding should enumerate what pages specifically are displaying “sensitive information” that need to be changed to suppress browser caching.
Note that the FAC application does not display any sensitive information during user submission; the only information that might qualify (tribal data marked as private) is in files that users are uploading, which are not part of the cache control domain.
I believe this is part of our comms to the reviewers, and I'm bumping this to closed until further notice, as I do not think we can take further action.
https://docs.google.com/spreadsheets/d/1SYLLqrstW3kpR3skRoXrm8tSa6jQF1NvBsR3i37GvsU/edit#gid=565013969
Disable browser caching. Cookies?
The text was updated successfully, but these errors were encountered: