Menu
For a project of ours, our customer ran a "pen test" across the ASP.NET Webforms 4.0 application and found a number of security issues that they want us to fix.
The one that causes the most discussion so far is a finding that the app allows pages and content to be cached, and this could potentially lead to unauthorized users seeing data they shouldn't see (that's what the "Pen Test" finding says, roughly).
The suggested "fix" is to set the cache-control and pragma HTTP headers to no-cache to avoid such caching, by adding this to my web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Cache-Control" value="no-cache, no-store, must-revalidate, private"/>
<add name="Pragma" value="no-cache"/>
<add name="Expires" value="-1"/>
</customHeaders>
</httpProtocol>
</system.webServer>
But I'm a bit reluctant to do this globally - doesn't this also turn off any caching of images, Javascript and CSS files for the application? That could have a significant and negative impact on site performance - no?
So can I do something "in between" ? Prevent the actual ASP.NET pages from being cached, with the data they present, but still keep caching of static content in place? If that is possible: what headers do I have to set to what to achieve this?
Thanks!
210
When you're in Google Chrome, click on View, then select Developer, then Developer Tools. Alternatively, you can right click on a page in Chrome, then click Inspect. Click on the Network tab, then check the box to Disable cache. You can then close out of Developer Tools.
Here is what you need to remember while caching static resources on CDN or local cache server: Use Cache-control HTTP directive to control who can cache the response, under which conditions, and for how long. Configure your server or application to send validation token Etag. Do not cache HTML in the browser.
Fragment caching does not actually cache a Web Form's code fragments directly; fragment caching refers to the caching of individual user controls (. ascx) within a Web Form. Each user control can have independent cache durations and implementations of how the caching behavior is to be applied.
The 'Cache-control' HTTP header holds instructions for caching in both requests and responses. Because the 'Pragma' header is used for backwards compatibility with HTTP/1.0 where the 'Cache-control' header is not yet presented. If sensitive information in application responses is stored in the local cache.
If you are using a master page for site or have extended the Page class and created pages using the extended Page class then you can place the code in the appropriate Page_Load event.
Response.Cache.SetCacheability(HttpCacheability.NoCache); //Cache-Control : no-cache, Pragma : no-cache
Response.Cache.SetExpires(DateTime.Now.AddDays(-1)); //Expires : date time
Response.Cache.SetNoStore(); //Cache-Control : no-store
Response.Cache.SetProxyMaxAge(new TimeSpan(0, 0, 0)); //Cache-Control: s-maxage=0
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);//Cache-Control: must-revalidate
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
