Issues » Insecure Browser Caching

Issue: SI-10
Date: Jun 7, 2013, 11:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 2.5
Credit: Internal Security Team

It has been reported that many dotCMS Admin screens do not include Cache-Control headers.  This can allow a client browser to cache dotCMS admin pages (as rendered) locally on the client's computer, which if examined, could expose sensitive content.  

This does not affect proxy servers - because all dotCMS pages are served with cookies

All web pages that contain sensitive content should be served with Cache-Control and Pragma headers that prevent any information from being cached. 


dotCMS includes cache control meta tags in its html, which is respected by all major browsers. If you would like to include Using a static plugin, override the /html/common/top_inc.jsp and include the appropriate response headers, like this:

response.setHeader("Expires","01 Jan 2000 00:00:00 GMT");