Browser Caching Demystified

Last weekend Las Vegas welcomed DEFCON 21 – one of the biggest hacker conventions in the world. I enjoyed it immensely and thought that the quality of presented material was much better than the talks from the last couple of years. This year, DEFCON had several themes, one of which was privacy. One of the talks that caught my attention (in fact, it was the last talk of the convention) was a 20-minute presentation on browser caching – an eye-opening experience for me and an exemplary illustration of the DEFCON’s privacy theme.

 

Jacob Thompson from Independent Security Evaluators wen over his case study that discusses page caching policies implemented in current browsers and identifies a number of web sites that cache sensitive information delivered over HTTPS on disk.

 

The table below provides a quick summary of browser behavior with respect to caching pages delivered over HTTPS.

 

 

IE

Firefox   pre 4.0

Firefox   post 4.0

Chrome

Safari

Default behavior

Cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: no-store

Don’t cache

Don’t cache

Don’t cache

Don’t cache

Don’t cache

The HTTP header Cache-Control: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTTP header Cache-Control: public

Cache

Cache

Cache

Cache

Don’t cache

The HTTP header Pragma: no-cache

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

The HTML tag <META HTTP-EQUIV="Pragma"

CONTENT="no-cache">

Don’t cache

Don’t cache

Cache

Cache

Don’t cache

 

In general, there are three main ways to prevent caching:

  1. By specifying the Cache-Control header
  2. By specifying the Pragma header, and
  3. By specifying the Pragma meta tag.

Only “Cache-Control: no-store” is actually standard and correctly implemented in all the browsers. Therefore, the best advice to web application developers is to always use “Cache-Control: no-store” for content that should not be cached. And if you get it wrong, our HP WebInspect solution can come in handy.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation