Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header.

Hi,
I was referred to this mailing list regarding this bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=55896#add_comment

When running OWASP ZAP web security tool, I get the following flag:

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

I was surprised since I had the no cache header in both html code and httpd header.

After investigating the flag, I noticed that the response was a generic 302 found error response from Apache (located in apache/src/modules/http/http_protocol.c).

full response given:

header:

HTTP/1.1 302 Found

Date: Sat, 30 Nov 2013 10:44:40 GMT

Server: Apache

X-Frame-Options: DENY

Location: https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP

Content-Length: 376

Content-Type: text/html; charset=iso-8859-1

body:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved here.</p>

<hr>

<address>Apache Server at 10.209.0.81 Port 443</address>

</body></html>

In conclusion:

1. Issue is "Secure page can be cached in browser." (found by owasp zap) for https page response "302 Found" from Apache.

2. Apache httpd bugs team indicated that this is not a bug in their side.

I fail to understand then,

1. If No "no-cahce" flag was entered in the header, how could the response avoid being cached by the browser?

2. If it is not explicitly mentioned, isn't it a security risk over apache generic response?

Would appreciate your help/advice.

Thanks,

Meir
Received on 2013-12-18 16:36:04 CET