In many cases, the users' web browsing experience can be made more efficient by allowing web browsers to cache pages, images, scripts, and other content. This allows the web browser to retrieve content from the local disk rather than requesting data from the server every time. The end result is a quicker, more responsive user interface.
While this strategy is great for applications that handle public, non-sensitive information, it may not be appropriate for banking, investment, health care, or other similar applications. In general, applications that contain sensitive or confidential information should have controls that reduce the likelihood of information being disclosed to unauthorized individuals.
One way web applications can reduce the likelihood of browsers disclosing sensitive data through caching is to include the following HTTP headers within the server's response.
Cache-control: no-cache, no-store Pragma: no-cache Expires: -1For more information, please see the OWASP AppSec FAQ.
Struts Interceptor Implementation
One way these headers can be included within a Struts 2 application is to create a custom interceptor. An example has been provided below.
Server: Apache-Coyote/1.1 Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 Content-Type: text/html Content-Length: 157 Date: Sat, 18 Oct 2008 18:37:35 GMT 200 OK
The code repository containing updated struts 2 modules can be found below:
Additionally, you can see discussion of these modules in my earlier blog posts: