Browsers can save data for caching and historical reasons. Caching is used to increase efficiency by preventing previously shown information from being downloaded repeatedly. History methods are used for the convenience of the user, so that the user may view exactly what they saw at the moment the resource was retrieved. If the user is shown sensitive information (such as their address, credit card details, Social Security Number, or login), this information may be cached or history-stored and therefore retrievable by inspecting the browser’s cache or simply using the browser’s “Back” button.
An attacker with local access to a user’s web browser may be able to extract cached copies of previously viewed resources, potentially revealing any sensitive data.
The web server should be set up so that cache behavior is enabled on all pages. The Cache-Control directive must be set to no-store to prevent a page from being cached. The cache-control directive with the highest level of security is this one. It informs the browser not to cache the page and not to save it in the browser’s cache folder. For all sensitive pages, this directive should be applied. With this enabled, the application will have complete control over how its pages are cached. Other HTTP headers, such as Pragma: no-cache and Expires, should also be set (Note: these headers do not guarantee that a browser will not store the data in its cache folder, but are honored in certain browsers).
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.