Issue: Cacheable HTTPS Response
Description:
Cacheable HTTPS response, if sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer in the future.
Remediation :
This issue can be remediated in ZIETrans by setting the below headers in the response.
Cache-control: no-store
Pragma: no-cache
Cache-Control: no-cache, no-store, max-age=0, must-revalidateRefer to provided Steps to add header in response.
For Clickjacking, Missing or insecure Cross-Frame Scripting Defence and Cacheable HTTPS Response, follow below steps to add header in response.
- Add the below filter in
web.xml:
<filter> <filter-name>FilterServlet</filter-name> <filter-class>com.ibm.filter.FilterServlet</filter-class> </filter> <filter-mapping> <filter-name>FilterServlet</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - Create a filter class and add the header in doFilter() method and set X-Frame-Options and
cache control as
below:
package com.ibm.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletResponse; public class FilterServlet implements Filter { @Override public void destroy() { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResp = (HttpServletResponse) response; httpResp.setHeader("X-Frame-Options", "SAMEORIGIN"); httpResp.setHeader("Cache-control", "no-store"); httpResp.setHeader("Pragma", "no-cache"); httpResp.setHeader("Strict-Transport-Security", "max-age=15638400"); chain.doFilter(request, response); } @Override public void init(FilterConfig filterConfig) throws ServletException { } }