Cache is stored even after sending no-cache, no-store, must-revalidate headers
Hello Support,
We require to prevent the firefox from storing our website's sensitive pages. We are in need of a SSL certificate and SSL company are seeing it as a security threat when the sensitive pages are being stored in cache and even after we turn off the internet the pages still show up.
We have tried disabling the cache using server side code but nothing works. We tried HTML meta tags as below:
<meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache, no-store, must-revalidate" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" />
Then tried with PHP, still didn't worked:
header("Cache-Control: no-cache, no-store, must-revalidate"); // HTTP 1.1. header("Pragma: no-cache"); // HTTP 1.0. header("Expires: 0"); // Proxies.
Though it shows the correct response headers but does not work.
I have posted a similar Questions on stackoverflow.com but it seems that no one has any answer to this.
Stackoverflow Link: https://stackoverflow.com/questions/35842135/firefox-stores-cache-even-if-meta-tag-is-set-to-no-cache-no-store-must-revalid
Same settings work on chrome and other major browsers but does not work in firefox. On work offline mode, pages should not show up if I'm right.
Can you enlighten me on this as in what's really happening with Firefox? I am using Firefox version 44.0.2 on Windows 7 64-bit Platform.
Thanks
Muudetud
All Replies (6)
I'm a little surprised, but if you need a workaround, you can use POST instead of GET to retrieve sensitive pages. Example:
Thanks for the reply Jscher.
I wonder if its possible through GET only as we the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages. Is there any way we can get it done on HTML pages through GET request?
Thanks
Hopefully someone else can answer about GET requests.
About this:
achoudhary said
... the sensitive info we are displaying is dynamically generated to an HTML page. Now this HTML page is accessed through the web and we cannot check if its post request in HTML pages.
But you're not wedded to a static HTML page, right? You can use PHP, ASP.Net, or another scripting language to detect the request type of the main page and embed an anti-CSRF token that allows you to validate the source of the background request. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Yes We can do that. But the question remains the same. Is there a way to accomplish that on HTML pages?
Even if I turn-off the internet or unplug the internet cable still the webpages show up.
Weird it seems to me and SSL company. CTRL + f5 doesn't respond.
This might be a security threat as I can see. If there's some background trojan running offline and gathering the info and sends the bundled info gathered(during offline) when we're online.
Any ways, thanks for the support. So the solution that came out is that we cannot prevent firefox from storing cache through get request if the page is a simple HTML page and it will continue to show up even if the internet is not connected.
This is not a developer support site, so don't take the lack of response to your question as "the answer."
Okay. Thanks