Cache is a component that transparently stores data so that future requests for that data can be served faster. The data that is stored within a cache might be values that have been computed earlier or duplicates of original values that are stored elsewhere. If requested data is contained in the cache (cache hit), this request can be served by simply reading the cache, which is comparatively faster.
Questions tagged [caching]
68 questions
28
votes
7 answers
Why do we need HTTPS for static content? If we can have a checksum at the end signed by the private key, won't that prove the validity?
This method which I am talking about can improve caching of images, videos, and CSS by the ISP rather than just depending on the browser cache. And it also proves the validity of the sender. Is there any reason why this semi-HTTPs not…
kalyan
- 447
- 4
- 6
19
votes
2 answers
Principles of cache attacks
There are many scientific publications that deal with cache attacks. Most recently, the CacheBleed attack was published which exploits cache bank conflicts on the Intel Sandy Bridge architecture. Most timing attacks use a similar approach:
The…
null
- 525
- 2
- 13
15
votes
1 answer
Is there any evidence misusing the HTTP Pragma header in responses has any (unique) effect?
I've been investigating the Pragma header, since there are already two other cache-busting HTTP response headers (Cache-Control & Expires), and I was interested in which browsers use(d) the old HTTP 1.0 one.
It turns out the spec only defines Pragma…
brianary
- 151
- 7
15
votes
2 answers
What should I do if I type my password in the address bar, or type password in google search?
When someone accidentally types his or her password in one of the following three locations and presses enter, what should they do?
username text box
address bar
Google search
What do you suggest, for example, a checklist, or instruction note?
And…
saber tabatabaee yazdi
- 1,038
- 5
- 16
- 26
14
votes
1 answer
HTTP Caching Headers: private vs no-cache
We're currently reviewing our set of "no-cache" security headers:
Cache-Control "no-cache, no-store, must-revalidate
Pragma "no-cache"
Expires 0
Besides the "standard" set above, I found this article, recommending to combine "no-cache" and…
Th0mas
- 171
- 1
- 5
12
votes
1 answer
Browser cache information disclosure
Observing the time needed by a browser to load external resources such as images potentially discloses information about whether those resources have been accessed before.
Explanation:
For example, by embedding the StackOverflow logo within a…
le_m
- 220
- 1
- 6
12
votes
3 answers
HTTP Content-Security-Policy Nonce and Caching
Is anyone here able to clarify how caching affects adding a nonce=value to all inline javascript?
If the nonce must be unique and unpredictable, then one would need to disable all server-side (i.e. Varnish, Cloudfront, etc) caching on the pages that…
user2687991
- 141
- 1
- 6
11
votes
1 answer
Why does IE11 refuse to enable back navigation caching for HTTPS?
On my website, I get this error message in the console:
DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
That link includes a list of conditions a web site…
Flimm
- 1,230
- 3
- 13
- 22
7
votes
1 answer
What is the proper terminology and base CVSS score for the following cache related behaviour?
An interface (website/application) that requires authentication should have a proper HTTP caching mechanism. When it doesn't, it allows an attacker to browse back after logout or read the cache in another way.
In order to do so, the server should…
Bob Ortiz
- 6,234
- 8
- 43
- 90
7
votes
2 answers
Are webcache pages more secure?
Whenever I see a suspicious looking URL I want to go to, I usually just search it up on Google's webcache and browse the site that way. But I just realized that I never really had evidence to support this kind of habit. Are web cached pages…
Craig Fox
- 81
- 1
- 2
6
votes
1 answer
e-tags on sensitive information
Suppose we have a big JSON document that only certain users can see, but that rarely changes, but which, if it does change, users expect to see the change quite quickly. It makes sense to use etags for this - it saves the whole document being…
Paul Stovell
- 303
- 1
- 2
- 8
6
votes
2 answers
Is it safe to use Memcached in a shared hosting environment?
The shared hosting I am using had Memcached enabled, I searched some forums that using Memcached in a shared hosting environment, can cause security problems like view the cache of the other user, edit the cache, etc. But the date is way back 2013,…
Da Heel
- 81
- 1
- 2
5
votes
3 answers
Should login pages be cacheable?
I'm considering the relative benefits/disadvantages of making a login page cacheable. Note that here I'm referring to the page containing the form into which the user enters their username and password.
Certainly it doesn't add any protection…
symcbean
- 18,278
- 39
- 73
5
votes
1 answer
What can stop a browser to cache data from ProtonMail conversations?
I think this question arises primarily from my insufficient understanding of browser caching. Let's log in to ProtonMail, and read a message. My understanding is that an encrypted 'blob' of data gets downloaded by my browser, and it gets decrypted…
5
votes
1 answer
Can I use CloudFlare if I want to avoid NSA and FISA secret orders?
We're running a web service in Europe, secured with TLS and we're using private keys generated on our private hardware.
We would like to use CloudFlare for DDoS protection and caching reverse proxy.
However, putting my tinfoil hat on, I'm wondering…
Mikko Rantalainen
- 513
- 2
- 11