Insecure cache-control header



I receive that there is an insecure cache control header issue for the following response:

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store

Keep-Alive: timeout=10, max=98
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en-US
Content-Length: 89132

I cannot understand why, this response seems legit and no cacheble, am I wrong or this is a bug in watcher's rule base?



chrisweber wrote Aug 19, 2013 at 10:35 PM

Thank you for the report. You're right that Watcher does not consider the most restrictive of the duplicate Cache-Control headers. However, it's uncertain how intermediary proxies would parse those as well, so Watcher errs on the side of caution. E.g. would a proxy take the first header, the second, or both?

Since a value of "no-cache" is not compatible with older proxies, Watcher looks for the presence of "no-store".