I am working on a legacy application running Java Struts v.1 and WebSphere v.8.5 as the Server using a https connection. I am trying to bring the application up to compliance in regards to its security. One of the tasks we need to accomplish with this application is add anti-caching response headers on every existing page:
Cache-Control: no-cache, no-store
Expires: 0
Pragma: no-cache
I have managed to add the headers, although by enabling the headers we are seeing that the back button functionality no longer works correctly in the pages that use the HTTP POST request. We are getting the following pages displayed for their respective browsers:
IE:
Webpage has expired
Most likely cause:
•The local copy of this webpage is out of date, and the website requires that you download it again.
Something to try: Click on the Refresh button on the toolbar to reload the page. After refreshing, you might need to navigate to the specific webpage again, or re-enter information.
Chrome:
Confirm Form Resubmission
This webpage requires data that you entered earlier in order to be properly displayed. You can send this data again, but by doing so you will repeat any action this page previously performed. Press the reload button to resubmit the data needed to load the page.
ERR_CACHE_MISS
If one refreshes the page after these screens are shown we are navigated back to the page we originally wanted.
Looking into the issue it seems that the
cache-control : no-cache, no-store
headers are to blame for the error page when clicking on the back button.
Therefore my question is, if there are any workarounds to the issue in terms of maintaining the header or adding something that will allow the user to use the back button without seeing the error screen from the browser and then having to refresh the page. Or will I just have to exclude the pages that use the POST call from having the cache-control headers?
A few things to note:
-Meta tags are considered insufficient to remediate this security vulnerability. HTML Meta Tags and HTTP Headers
-I have also tried adding on other cache-control headers but none of them worked at solving the back issue:
must-revalidate
age
post & pre-checks
etc...
I appreciate any insights and help. Thank you in advance.
To anyone having the same issue this is how I got around the following error.
Implemented the Post/Redirect/Get (PRG) model for server side rendered pages. This functionality can be found in most modern frameworks. A simple google search will provide you with how to do this for your framework.
In addition for pages were I did not want to implement the PRG model and wanted to control the back button event. I ended up using the following script with JQuery.
Please note: This method will only work on modern browsers, use at your discretion.
//Import JQuery
<script src="jquery-1.11.0.min.js"></script>
//Add this to your JS Logic for the page you want to change
<script type="text/javascript">
jQuery(document).ready(function($) {
if (window.history && window.history.pushState) {
$(window).on('popstate', function() {
var hashLocation = location.hash;
var hashSplit = hashLocation.split("#!/");
var hashName = hashSplit[1];
if (hashName !== '') {
var hash = window.location.hash;
if (hash === '') {
document.location.href = '/Your/Redirection/Here';
}
}
});
window.history.pushState('forward', null, '#SomeIDYouAreNotUsing');
}
});
</script>