For a project of ours, our customer ran a "pen test" across the ASP.NET Webforms 4.0 application and found a number of security issues that they want us to fix.
The one that causes the most discussion so far is a finding that the app allows pages and content to be cached, and this could potentially lead to unauthorized users seeing data they shouldn't see (that's what the "Pen Test" finding says, roughly).
The suggested "fix" is to set the cache-control and pragma HTTP headers to no-cache to avoid such caching, by adding this to my web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Cache-Control" value="no-cache, no-store, must-revalidate, private"/>
<add name="Pragma" value="no-cache"/>
<add name="Expires" value="-1"/>
</customHeaders>
</httpProtocol>
</system.webServer>
But I'm a bit reluctant to do this globally - doesn't this also turn off any caching of images, Javascript and CSS files for the application? That could have a significant and negative impact on site performance - no?
So can I do something "in between" ? Prevent the actual ASP.NET pages from being cached, with the data they present, but still keep caching of static content in place? If that is possible: what headers do I have to set to what to achieve this?
Thanks!
If you are using a master page for site or have extended the Page class and created pages using the extended Page class then you can place the code in the appropriate Page_Load event.
Response.Cache.SetCacheability(HttpCacheability.NoCache); //Cache-Control : no-cache, Pragma : no-cache
Response.Cache.SetExpires(DateTime.Now.AddDays(-1)); //Expires : date time
Response.Cache.SetNoStore(); //Cache-Control : no-store
Response.Cache.SetProxyMaxAge(new TimeSpan(0, 0, 0)); //Cache-Control: s-maxage=0
Response.Cache.SetValidUntilExpires(false);
Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);//Cache-Control: must-revalidate