Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Do Not Cache Sensitive Data

  
  

Applies To

ASP.NET 4.0

What to Do

ASP.NET output caching is a great way to improve application performance, however, if your page contains data that is sensitive, such as a password, credit card number, or account status, the page should not be cached. ASP.NET output caching is off by default.

Why

Output caching is usually done on the client, and that has serious security implications if the page being cached has sensitive data. Output caching is similar in impact to storing sensitive data in cookies. The data may persist on the client machine, on proxy servers or on the web server. Due to this fact, it leaves interesting data available to attackers should the devices caching the data be compromised.

When

If a page displays sensitive info, ensure output caching is disabled.

How

Output caching is off by default and must be explicitly turned on in order to be activated. There are two ways that output caching can be turned on: high-level declarative API, or low-level programmatic API. The high-level declarative API is used by including the@OutputCache directive in the .aspx file for a page. The low-level programmatic API is used through the Page.Response.Cache property which returns an instance of theHttpCachePolicy class.

Use the following steps to ensure that sensitive data is not cached:

  1. Review pages for sensitive data. Review all of your pages for instances of sensitive data. This could include, but is not limited to:
  • Information that either contains personally identifiable information or can be used to derive personally identifiable information that should not be shared with users.
  • Information that a user provides that they would not want shared with other users of the application.
  • Information that comes from an external trusted source that is not designed to be shared with users.
  1. Review the pages for declarative Output Caching. Review the pages discovered in step 1 for the use of the@OutputCache directive. If it exists, remove it.
  2. Review the pages for programmatic Output Caching. Review the pages discovered in step 1 for the use of theHttpCachePolicy class. Generally this is accessed through thePage.Response.Cacheproperty.

Problem Example

An ASP.NET application contains a page that asks the user for credit card information in order to complete an e-commerce transaction. For performance reasons, all pages in the application have output caching turned on through the use of the@OutputCache directive

<%@ OutputCache Duration="60" VaryByParam="None" %>

This results in the page, including sensitive data, being cached on any HTTP 1.1 capable devices - including browsers, proxies and the web server.

Solution Example

An ASP.NET application contains a page that asks the user for credit card information in order to complete an e-commerce transaction. For performance reasons, almost all of the pages in the application have output caching turned on through the use of the@OutputCache directive. However sensitive pages, such as the page that includes credit card information have had the@OutputCache directive removed to prevent them from being cached on HTTP 1.1 capable devices.

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics