1. Patrick Samson Avatar Patrick Samson
  2. Untitled project
  3. django-postman
  4. Issues

Improve security by preventing browser caching

Issue #105 resolved
Rémi Fat Cheung created an issue

Hi,

It would be nice to add the header Cache-Control: max-age=0, no-cache, no-store, must-revalidate when serving the private views for this app (messages list, view...). The point being if a user logout, then it would be harder for a potential attacker on the same computer to view the private pages in the browser history.

An easy way to add this header is to wrap the sensitive views with the decorator django.views.decorators.cache.never_cache.

Thanks!

Comments (6)

  1. Patrick Samson repo owner
    • changed status to open

    The point about security is true, but I can't determine in which cases the browser would put the view contents in cache.

    Tracing with runserver and Firefox shows that:

    • the css files are put in cache because of a Last-Modified returned by 'django.contrib.staticfiles' and further served with a "304 Not Modified". That's fine.
    • the inbox/ contents is not kept in cache (or listed as "Expired Immediately").

    Could you detail in which case there is an exposition to a cache?

  3. Rémi Fat Cheung reporter

    I just tested on my project with Firefox 61.0.1 on Linux Mint. I did the following:

    • Login
    • go to /messages/inbox/ and see the list of messages
    • click on Logout link
    • press the back button in Firefox
    • see the list again (we shouldn't, that's where cache-control would be useful)

    Please note that Chrome does not behave the same and does not show the message list after clicking the back button.

  7. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
resolved
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!