HTTPS cachable responses

Check that the application does not leak any sensitive data into the browser cache. In order to do that, search through the server responses that belong to the session, checking that for every page that contains sensitive information the server instructed the browser not to cache any data, with headers:

• Cache-Control: no-store

• Pragma: no-cache

The exact location where that information is stored depends on the client operating system and on the browser that has been used. Here are some examples:

• Mozilla Firefox:

  • Unix/Linux: ~/.cache/mozilla/firefox/

  • Windows: C:\Users\<user_name>\AppData\Local\Mozilla\Firefox\Profiles\<profile-id>\Cache2\

• Internet Explorer:

  • C:\Users\<user_name>\AppData\Local\Microsoft\Windows\INetCache\

• Chrome:

  • Windows: C:\Users\<user_name>\AppData\Local\Google\Chrome\User Data\Default\Cache

  • Unix/Linux: ~/.cache/google-chrome

Mozilla Firefox

Analysed cached responses at about:cache page of the browser: