Do Not Cache Sensitive Data
What to Do
ASP.NET output caching is a great way to improve application performance, however, if your page contains data that is sensitive, such as a password, credit card number, or account status, the page should not be cached. ASP.NET output caching is off by default.
Output caching is usually done on the client, and that has serious security implications if the page being cached has sensitive data. Output caching is similar in impact to storing sensitive data in cookies. The data may persist on the client machine, on proxy servers or on the web server. Due to this fact, it leaves interesting data available to attackers should the devices caching the data be compromised.
If a page displays sensitive info, ensure output caching is disabled.
Output caching is off by default and must be explicitly turned on in order to be activated. There are two ways that output caching can be turned on: high-level declarative API, or low-level programmatic API. The high-level declarative API is used by including the@OutputCache directive in the .aspx file for a page. The low-level programmatic API is used through the Page.Response.Cache property which returns an instance of theHttpCachePolicy class.
Use the following steps to ensure that sensitive data is not cached:
- Review pages for sensitive data. Review all of your pages for instances of sensitive data. This could include, but is not limited to:
- Information that either contains personally identifiable information or can be used to derive personally identifiable information that should not be shared with users.
- Information that a user provides that they would not want shared with other users of the application.
- Information that comes from an external trusted source that is not designed to be shared with users.
- Review the pages for declarative Output Caching. Review the pages discovered in step 1 for the use of the@OutputCache directive. If it exists, remove it.
- Review the pages for programmatic Output Caching. Review the pages discovered in step 1 for the use of theHttpCachePolicy class. Generally this is accessed through thePage.Response.Cacheproperty.
An ASP.NET application contains a page that asks the user for credit card information in order to complete an e-commerce transaction. For performance reasons, all pages in the application have output caching turned on through the use of the@OutputCache directive
<%@ OutputCache Duration="60" VaryByParam="None" %>
This results in the page, including sensitive data, being cached on any HTTP 1.1 capable devices - including browsers, proxies and the web server.
An ASP.NET application contains a page that asks the user for credit card information in order to complete an e-commerce transaction. For performance reasons, almost all of the pages in the application have output caching turned on through the use of the@OutputCache directive. However sensitive pages, such as the page that includes credit card information have had the@OutputCache directive removed to prevent them from being cached on HTTP 1.1 capable devices.