1
Vote

Insecure cache-control header

description

Hi,

I receive that there is an insecure cache control header issue for the following response:

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store

Keep-Alive: timeout=10, max=98
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 89132


I cannot understand why, this response seems legit and no cacheble, am I wrong or this is a bug in watcher's rule base?

Thanks.

comments

chrisweber wrote Aug 19, 2013 at 9:35 PM

Thank you for the report. You're right that Watcher does not consider the most restrictive of the duplicate Cache-Control headers. However, it's uncertain how intermediary proxies would parse those as well, so Watcher errs on the side of caution. E.g. would a proxy take the first header, the second, or both?

Since a value of "no-cache" is not compatible with older proxies, Watcher looks for the presence of "no-store".