Issues » Insecure Browser Caching

Issue: SI-10
Date: Jun 7, 2013, 11:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 2.5
Credit: Internal Security Team
Description:

It has been reported that many dotCMS Admin screens do not include Cache-Control headers.  This can allow a client browser to cache dotCMS admin pages (as rendered) locally on the client's computer, which if examined, could expose sensitive content.  

This does not affect proxy servers - because all dotCMS pages are served with cookies

All web pages that contain sensitive content should be served with Cache-Control and Pragma headers that prevent any information from being cached. 

Mitigation:

dotCMS includes cache control meta tags in its html, which is respected by all major browsers. If you would like to include Using a static plugin, override the /html/common/top_inc.jsp and include the appropriate response headers, like this:

response.setHeader("Cache-Control","no-store");
response.setHeader("Pragma","no-cache");
response.setHeader("Expires","01 Jan 2000 00:00:00 GMT");

References
  • https://github.com/dotCMS/dotCMS/issues/3045

Highly Rated and Recommended

We're rated Excellent 4.2/5 stars on G2 - with 95+ verified reviews