JennaySDavis
commented
3 months ago The findings stated below were reported to ISSO and ISSM on 8/2/24:
Vulnerability: Cacheable HTTPS
Severity: Low
Site(s): https://889.smartpay.gsa.gov/#/ and https://smartpay.gsa.gov/
Penetration Test Report Recommendation: Update the response header on all responses containing sensitive information to not cache.
Findings: Neither the SmartPay Program site nor the 889 Tool contains sensitive data. All pages are public and accessible to everyone. The recommendation is not to make any application changes, as allowing the user's browser to cache helps with user experience and performance, so they don't always have to go to the server when accessing the pages.
Description from Penetration Testing: Application browser may store a local cached copy of content received from web servers including sensitive content accessed via HTTPS. Sensitive information in the application responses can be stored in the local cache which can be retrieved by other users who have access to the same computer at a future time.