logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: apache - secure page can be cached
Author
meirre@mellanox.com



Joined: 17 Dec 2013
Posts: 1
Location: Israel

PostPosted: Wed 18 Dec '13 11:55    Post subject: apache - secure page can be cached Reply with quote

Hi,
When running OWASP ZAP web security tool, I get the following flag:
Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

I was surprised since i had the no cache header in both html code and httpd header.

After investigating the flag, i noticed that the response was a generic 302 found error response from Apach (located in apache/src/modules/http/http_protocol.c).

I have added a patch to code when adding the cache-control & pragma html headers with no-cache - and that had solved the security flag (patch attached).

full response given:
header:
HTTP/1.1 302 Found
Date: Sat, 30 Nov 2013 10:44:40 GMT
Server: Apache
X-Frame-Options: DENY
Location: https://*****
Content-Length: 376
Content-Type: text/html; charset=iso-8859-1

body:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://******">here</a>.</p>
<hr>
<address>Apache Server at 10.209.0.81 Port 443</address>
</body></html>


In conclusion:
Issue is "Secure page can be cached in browser." (found by owasp zap) for https page response "302 Found" from Apache.

Would appreciate if anyone could advise.

Thanks,
Meir
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 18 Dec '13 19:06    Post subject: Reply with quote

302 means Moved Temporarily aka redirect. That is feature, not a bug.
Back to top


Reply to topic   Topic: apache - secure page can be cached View previous topic :: View next topic
Post new topic   Forum Index -> Apache