You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: secure_software_development_fundamentals.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3666,11 +3666,11 @@ We hope this was a really easy one. The problem is not just that this is a terri
3666
3666
3667
3667
[Explanation]
3668
3668
3669
-
### Avoid caching especially sensitive information
3669
+
### Avoid caching sensitive information
3670
3670
3671
-
Caching (creating intermediate copies of data) can speed many responses. However, if you are serving especially sensitive data, you should isolate it. For example, if you're implementing a website, you should *only* serve that sensitive data from a few specialized web pages and *completely* disable caching of that data on the server, client, and any proxies along the way. Disabling caches prevents accidental spills from a cache, and is yet another way to implement least privilege. Caching can occur in any part of a system, but unnecessary caching of sensitive data is especially common as part of output, so we include this issue here.
3671
+
Caching (creating intermediate copies of data) can speed many responses. However, if you are serving very sensitive data, you should avoid caching it where practical. For example, if you're implementing a website, you should *only* serve that sensitive data from a few specialized web pages and *completely* disable caching of that data on the server, client, and any proxies along the way. Disabling caches prevents accidental spills from a cache, and is yet another way to implement least privilege. Caching can occur in any part of a system, but unnecessary caching of sensitive data is especially common as part of output, so we focus on disabling caching as part of secure output.
3672
3672
3673
-
On the server commonly-used systems for caching include memcached and Redis - disable caching of that data when you can. The safest way to ensure that the web browser and web proxy caching is disabled is through this set of HTTP headers (["How do we control web page caching, across all browsers?"](https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers)):
3673
+
On the server commonly-used systems for caching include memcached and Redis. The safest way to ensure that the web browser and web proxy caching is disabled is through this set of HTTP headers (["How do we control web page caching, across all browsers?"](https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers)):
@@ -3691,7 +3691,7 @@ header to disable writing content to storage
3691
3691
mechanisms supported by the Internet Explorer web browser.
3692
3692
In 2017 it was found that 70% of tested sites
3693
3693
(financial, healthcare, insurance, and utility sites)
3694
-
failed to correctly forbid browsers from storing cached content, because
3694
+
failed to correctly prevent browsers from storing cached content, because
3695
3695
they incorrectly used only the nonstandard request to store cached data
3696
3696
["Industry-wide Misunderstandings of HTTPS" by Independent Security Evaluators (ISE), July 12, 2017](https://www.ise.io/casestudies/industry-wide-misunderstandings-of-https/#5d).
3697
3697
You should always try to use a *standard* interface to request
0 commit comments