Details
Alert ID 10015
Alert Type Passive
Status release
Risk Informational
CWE 525
WASC 13
Technologies Targeted All
Tags CWE-525
POLICY_PENTEST
SYSTEMIC
WSTG-V42-ATHN-06
More Info Scan Rule Help

Summary

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

Solution

For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/CacheControlScanRule.java