- changed status to open
Improve security by preventing browser caching
Issue #105
resolved
Hi,
It would be nice to add the header Cache-Control: max-age=0, no-cache, no-store, must-revalidate
when serving the private views for this app (messages list, view...). The point being if a user logout, then it would be harder for a potential attacker on the same computer to view the private pages in the browser history.
An easy way to add this header is to wrap the sensitive views with the decorator django.views.decorators.cache.never_cache
.
Thanks!
Comments (6)
-
repo owner -
repo owner - marked as enhancement
-
assigned issue to
-
reporter I just tested on my project with Firefox 61.0.1 on Linux Mint. I did the following:
- Login
- go to /messages/inbox/ and see the list of messages
- click on Logout link
- press the back button in Firefox
- see the list again (we shouldn't, that's where cache-control would be useful)
Please note that Chrome does not behave the same and does not show the message list after clicking the back button.
-
repo owner Reproduced. WIP.
-
repo owner - changed status to resolved
Fixed in repo.
-
reporter Perfect, thanks!
- Log in to comment
The point about security is true, but I can't determine in which cases the browser would put the view contents in cache.
Tracing with runserver and Firefox shows that:
Could you detail in which case there is an exposition to a cache?