Unsafe cache control policy with CA SSO Web agent

Document ID : KB000010679
Last Modified Date : 14/02/2018
Show Technical Document Details

How to instruct Web agent to implement safe caching policies ?


Vulnerability penetration test detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must nonetheless ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy by leaving the secure content cacheable by browsers. Unsafe specification such as Cache-Control: public would instruct the browser to persistently cache the content on the hard drive. Caching can be prevented by specifying one of the following three directives in the response 
• Cache-control: private 
• Cache-Control: no-cache 
• Cache-Control: no-store

Web Agent : r12.5 and above

To prevent this vulnerability you should set ExpireForProxy ACO parameter to YES

When ExipreForProxy=YES, web agent inserts following HTTP headers in the response. 

>Expires : Set to Date in the past, which prevents page from being cached by a proxy, as dictated by the HTTP 1.0 specification 
Note :

Now, this is all good for normal resources but there are certain resources which you might want to still be cached. For e.g. .gif/.jss files which doesn’t change normally and also need not be protected. 
If these resources are not cached on the client side, they will put an unnecessary overhead in the network traffic. 

To ensure that these files are cached (exception to no-cache setting), here is what you have to do : 
> Include the files you want to be cached in IgnoreExt. So IgnoreExt should contain .gif/.jss file extensions. 
> Set AllowCacheHeaders=YES 

When you make above changes this is what happens : 
For any file included in IgnoreExt, web agent will not insert no-cache Cache-control in the response header