Forum Discussion

IheartF5_45022's avatar
Jan 05, 2012

Force no-cache on a response for naughty browsers

The problem is that Google Chrome will cache, in the current sessions memory only, responses which have had the no-cache directive applied. This means that after a user logs out of an application and walks away, another user can come up to the computer, press the back arrow and potentially see private information. The way round this is to use the no-store directive with a couple of other headers thrown in for good measure. V simple iRule below.

 

 

NB1. that Google say that this behaviour is RFC-compliant but I am not so sure...the RFC clearly says that no-cache at least means that the browser must revalidate with the server, which at least means conditional GET surely?

 

 

NB2. If you are using Web Accelerator v10 or above you will need to change your client cache setting under Lifetime to "No change", as HTTP_RESPONSE is executed before WA processing takes place on the response.

 

 

 

when HTTP_RESPONSE {

 

The purpose of this iRule event processing is to force no-store so that browsers will not store this content

 

which would enable users to hit the 'back' button, even after a logout, and potentially see customer PII

 

 

 

if {[HTTP::header Content-Type] contains "html"} {

 

HTTP::header insert Pragma "no-cache"

 

HTTP::header insert Expires "Fri, 01 Jan 1990 00:00:00 GMT"

 

HTTP::header replace Cache-Control "no-cache,no-store,must-revalidate"

 

}

 

}

 

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Very handy, and a great security tip..thanks!

     

     

    This should definitely make its way into the CodeShare, so I've added it:

     

     

    http://devcentral.f5.com/wiki/iRules.Force-No-Cache-on-Response.ashx?NoRedirect=1&NS=iRules

     

     

    Feel free to tweak as you see fit.

     

     

    Colin
  • hi, i have a question. Will this also work if only need no cache on some extensions? Such as .html or .htm or .js

     

  • hi, i have a question. Will this also work if only need no cache on some extensions? Such as .html or .htm or .js