Update: Transport Layer Protection

OWASP / CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

https://cheatsheetseries.owasp.org

Creative Commons Attribution Share Alike 4.0 International

27.75k stars 3.89k forks source link

Update: Transport Layer Protection #1259

Closed TobiDimmel closed 7 months ago

TobiDimmel commented 9 months ago

What is missing or needs to be updated?

I'm wondering about the recommended Cache-Control-Header in the Prevent Caching of Sensitive Data section. What is the reasoning of no-cache and must-revalidate since no-store is more restrictive and should be the only effective directive?

On MDN is an example that illustrates the interaction between these directives.

How should this be resolved?

For a clearer recommendation the Cache-Control-Header should only have the no-store directive.

jmanico commented 9 months ago

Those are fallbacks recommended by the W3C security working group to fall back and support older browsers and clients.