The application we are building needs to store people's SSN. We already protect them using HTTPS in transit and in storage using DynamoDB's in-built encryption. The question is, how to protect it in a web page once arrived in a user's browser?
Example: There are two types of users who can access a person's SSN. The owner of the SSN and the administrators so the page which have the SSN is already protected using an app wide authentication. My question is, what else should we do? Ask the user to enter the password in that specific page again? Anything else we can do?
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Don't cache the value on your own like don't use local storage.
Prevent XSS attacks on your application. And any other types of attacks that may reveal the data over injection from the server... I know, this goes deep. But the attack surface of typical applications is huge. Client-side injections, server-side injections, remote code execution, stupid business logic issues, logging. All this may reveal your SSNs to third parties. You need to comply with much more than just the client side to make sure your SSNs do not leak. Feel free to look into OWASP ASVS to see how big the list can get.