Nick Coblentz: HTTP Caching Headers in Struts 2

Background

In many cases, the users' web browsing experience can be made more efficient by allowing web browsers to cache pages, images, scripts, and other content. This allows the web browser to retrieve content from the local disk rather than requesting data from the server every time. The end result is a quicker, more responsive user interface.

While this strategy is great for applications that handle public, non-sensitive information, it may not be appropriate for banking, investment, health care, or other similar applications. In general, applications that contain sensitive or confidential information should have controls that reduce the likelihood of information being disclosed to unauthorized individuals.

One way web applications can reduce the likelihood of browsers disclosing sensitive data through caching is to include the following HTTP headers within the server's response.

Cache-control: no-cache, no-store
Pragma: no-cache
Expires: -1

For more information, please see the OWASP AppSec FAQ.

Struts Interceptor Implementation

One way these headers can be included within a Struts 2 application is to create a custom interceptor. An example has been provided below.

CachingHeadersInterceptor Code

(Click the image above to view the code)

Struts.xml

(Click the image above to view the XML)

Results

Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html
Content-Length: 157
Date: Sat, 18 Oct 2008 18:37:35 GMT

200 OK

The code repository containing updated struts 2 modules can be found below:

http://code.google.com/p/struts2securityaddons/

Additionally, you can see discussion of these modules in my earlier blog posts: