SCP [138, 140] Cornucopia - Data Protection

These are SCP coding practices used during Cornucopia threat modeling sessions that we could add here.

ref: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf

**SCP [138]** Do not include sensitive information in HTTP GET request parameters

I would say this is similar to [ASVS 14.2.1](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x23-V14-Data-Protection.md#v142-general-data-protection)
SCP [138] is referred to in [SM9](https://cornucopia.owasp.org/cards/SM9).

**Suggestion:**  Do not include sensitive information in the URL or query string, such as an API key or session token

-----------

**SCP [140]** Disable client side caching on pages containing sensitive information. Cache-Control: no-store, may be used in conjunction with the HTTP header control "Pragma: no-cache", which is less effective, but is HTTP/1.0 backward compatible

I would say this is similar to [ASVS 14.3.2](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x23-V14-Data-Protection.md#v143-client-side-data-protection)
SCP [140] is referred to in [AZ3](https://cornucopia.owasp.org/cards/AZ3) and [AT3](https://cornucopia.owasp.org/cards/AT3).

**Suggestion:** Disable client side caching on pages containing sensitive information (e.g. Cache-Control: no-store)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

SCP [138, 140] Cornucopia - Data Protection #125

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

SCP [138, 140] Cornucopia - Data Protection #125

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions