Penetration Testing: Cacheable HTTPS #669
Labels
Comments
|
The findings stated below were reported to ISSO and ISSM on 8/2/24: Vulnerability: Cacheable HTTPS Severity: Low Site(s): https://889.smartpay.gsa.gov/#/ and https://smartpay.gsa.gov/ Penetration Test Report Recommendation: Update the response header on all responses containing sensitive information to not cache. Findings: Neither the SmartPay Program site nor the 889 Tool contains sensitive data. All pages are public and accessible to everyone. The recommendation is not to make any application changes, as allowing the user's browser to cache helps with user experience and performance, so they don't always have to go to the server when accessing the pages. |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description from Penetration Testing:
Application browser may store a local cached copy of content received from web servers including sensitive content accessed via HTTPS. Sensitive information in the application responses can be stored in the local cache which can be retrieved by other users who have access to the same computer at a future time.
The text was updated successfully, but these errors were encountered: