cache-control and pragma

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

Post Reply
Steve James
Ebase User
Posts: 331
Joined: Mon Mar 10, 2014 8:34 am

cache-control and pragma

#1

Postby Steve James » Tue Dec 22, 2015 12:25 pm

Hi, we've just had some PEN testing and an issue that was raised was that "Applications should return caching directives instructing browsers not to store local copies of any sensitive data"

The 3 pages the PEN testers highlighted were
  • ufsmain - we've checked and they are present so we are checking with the PEN testers.

    uploader - this pages uses "cache-control private". I'm looking at what the difference is.

    ufsajax - no cache control nor pragma headers. We can of course turn ajax off for specific forms (not that we want to).
Can you advise whether this will be fixed in a future release or the reason why this is by design?

Thanks
0 x
Steve James
Ebase User
Posts: 331
Joined: Mon Mar 10, 2014 8:34 am

#2

Postby Steve James » Mon Jan 04, 2016 10:31 am

Hi Happy New Year Ebase, have you spotted this query?

Thanks
0 x
Jon
Moderator
Moderator
Posts: 1342
Joined: Wed Sep 12, 2007 12:49 pm

#3

Postby Jon » Mon Jan 04, 2016 4:16 pm

And a Happy New Year to you too. No, we managed to miss this..

ufsmain: this is the main servlet and should be OK. We explicitly set directives to prevent caching

uploader: I'll raise a bug report to get this investigated. But I think we are talking about the static page presented by the uploader. So not much of a security risk

ufsajax: all requests are POSTs, so my understanding is they won't be cached by browsers.
0 x
Steve James
Ebase User
Posts: 331
Joined: Mon Mar 10, 2014 8:34 am

#4

Postby Steve James » Tue Jan 05, 2016 8:43 am

Thanks Jon
0 x
Post Reply

Return to “Application Development”

Who is online

Users browsing this forum: No registered users and 17 guests