Home Books Training Newsletter Resources
Sign up Log in
book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.


1.3.5 Disable Caching

Encryption at the network level prevents both passive and active network attacks, but TLS doesn’t actually provide full end-to-end encryption. Both sides involved in the communication have access to the plaintext. Caching is commonly used with HTTP to improve performance, so, for example, browsers may choose to store plaintext data in persistent storage. Intermediate proxy services (e.g., content delivery networks) may choose to not only cache sensitive data, but even share it with other users in some situations when incorrect configuration is involved.

With the increase of cloud-based application delivery platforms and content delivery networks, it's never been more important to very carefully mark all sensitive content as private. The most secure option is to indicate that the content is private and that it must not be cached:

Cache-Control: private, no-store

With this setting, neither intermediate devices nor browsers will be allowed to cache the served content. For less important information, allowing browser caching may provide sufficient security.

< Prev
^ Table of Contents
Next >
@feistyduck

Books

  • Bulletproof TLS and PKI
  • ModSecurity Handbook
  • OpenSSL Cookbook

Training

  • Practical TLS and PKI

Resources

  • Newsletter
  • SSL/TLS and PKI History
  • Archived Books
  • Bulletproof TLS Guide

Company

  • Support
  • Website Terms of Use
  • Terms and Conditions
  • Privacy Policy
  • About Us