palantir / dropwizard-web-security

A Dropwizard bundle for applying default web security functionality
https://bintray.com/palantir/releases/dropwizard-web-security/view
Apache License 2.0
37 stars 16 forks source link

cache headers in the security bundle #27

Open jmcampanini opened 8 years ago

jmcampanini commented 8 years ago

consider adding cache headers. an example of this (and rationale) can be found here: Spring Security Cache Controls.

the goal would be to add these headers only if they haven't already been set. this would allow servlets to still define their caching functionality.

the proposed implementation would be to:

  1. if the Cache-Control or Pragma header is set, do not set anything
  2. set the 3 headers listed below to the values configured

this will follow the same priority for configuration as the rest of the bundle (high to low): YAML > coded values > default values of bundle.

the headers and their default values:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

// tagging for SA: @qinfchen @derekcicerone @jlz27 @rcchen

derekcicerone-zz commented 8 years ago

Why is this part of the security bundle?

jmcampanini commented 8 years ago

there seems to be sufficient security implications to not having these headers properly set:

  1. https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Browser_Cache
  2. https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/#cache-control

considering the security implications and that the majority of our services are already setting this with one-off filters makes me think that it's common security-related code that fits within the context of the web-security bundle.

derekcicerone-zz commented 8 years ago

Lets discuss offline, maybe there is something I'm not entirely understanding here because I don't see why the defaults built into Jetty aren't sufficient.

jmcampanini commented 8 years ago

discussed offline. will come back to this later and investigate a better caching strategy for our apps in general. at this point, there is no pressing need as each application is handling this on their own.

tomshen commented 8 years ago

@jmcampanini can I close this?

vanditamathur commented 5 years ago

Hi, Any plans of adding the Cache-Control and Pragma headers to the doordeck/dropwizard-web-security project? Lack of these headers shows up as a vulnerability in scans. (Though it is low priority)

jplock commented 5 years ago

Dropwizard does ship with a native @CacheControl annotation at https://www.dropwizard.io/1.3.9/docs/manual/core.html#caching, if that helps.

vanditamathur commented 5 years ago

Thanks @jplock for the pointer. However, it would be good to have a single global place to do this. Have a lot of resource files and functions and it would be difficult to annotate all of them.