Topic: apache - secure page can be cached

[meirre@mellanox.com]

Hi,
When running OWASP ZAP web security tool, I get the following flag:
Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

I was surprised since i had the no cache header in both html code and httpd header.

After investigating the flag, i noticed that the response was a generic 302 found error response from Apach (located in apache/src/modules/http/http_protocol.c).

I have added a patch to code when adding the cache-control & pragma html headers with no-cache - and that had solved the security flag (patch attached).

full response given:
header:
HTTP/1.1 302 Found
Date: Sat, 30 Nov 2013 10:44:40 GMT
Server: Apache
X-Frame-Options: DENY
Location: https://*****
Content-Length: 376
Content-Type: text/html; charset=iso-8859-1

body:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://******">here</a>.</p>
<hr>
<address>Apache Server at 10.209.0.81 Port 443</address>
</body></html>


In conclusion:
Issue is "Secure page can be cached in browser." (found by owasp zap) for https page response "302 Found" from Apache.

Would appreciate if anyone could advise.

Thanks,
Meir

[James Blond]

302 means Moved Temporarily aka redirect. That is feature, not a bug.