WebApp Sec mailing list archives

Re: Code snippets to disable browser caching

From: "Jean-Jacques Halans" <halans () gmail com>
Date: Tue, 9 May 2006 08:39:44 +1000

Hi,
I've use these ones:
----------------------------------------
HTML
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-control" CONTENT="no-cache">
<META HTTP-EQUIV="Cache" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="thu, 01 Jan 1998 12:00:00 GMT">

To properly prevent the Web page from appearing in the cache (older IE
versions), place another header section at the end of the HTML
document:
...
</BODY>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</HEAD>
</HTML>
----------------------------------------
ASP
<% Response.CacheControl = "no-cache" 'HTTP 1.1 %>
<% Response.CacheControl="private" 'prevents caching at the proxy server %>
<% Response.AddHeader "Pragma", "no-cache" 'HTTP 1.0 %>
<% Response.AddHeader "cache-control", "no-store" 'HTTP 1.1 %>
<% Response.Expires = -1 'prevents caching at the proxy server %>

----------------------------------------
JSP
<% response.setHeader("Cache-Control","no-cache");  %>
<% response.setHeader("Pragma","no-cache"); %>
<% response.setDateHeader ("Expires", 0); %>
<% response.setHeader("Cache-Control","no-store"); %>

----------------------------------------
PHP
Header("Cache-control: private, no-cache, must-revalidate");
Header("Cache-control: private, no-cache");
Header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); # Past date
Header("Pragma: no-cache"); #HTTP 1.0

----------------------------------------
And another simple technique :
append a random number to the query-string of every URL you do not want cached

More on http1.1 caching:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9

Hope it helps,
JJ


On 8 May 2006 04:43:31 -0000, smith.norton () gmail com
<smith.norton () gmail com> wrote:
>Can anyone suggest me how to write my HTML file so that it disables browser
>caching in the client side?
>
>
>I would appreciate if anyone can give small code snippets to explain the
>same.
>
>
>Thanks in advance.
-------------------------------------------------------------------------


Halans Jean-Jacques, CISSP

-------------------------------------------------------------------------
Sponsored by: Watchfire

Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------

Current thread:

Code snippets to disable browser caching smith . norton (May 08)
- Re: Code snippets to disable browser caching Dave Ferguson (May 08)
- <Possible follow-ups>
- Re: Code snippets to disable browser caching s89df987 s9f87s987f (May 08)
- Re: Code snippets to disable browser caching s89df987 s9f87s987f (May 08)
  - Re: Code snippets to disable browser caching Jean-Jacques Halans (May 08)
    - Re: Code snippets to disable browser caching Peter Conrad (May 09)
  - Re: Code snippets to disable browser caching Tomi Tuominen (May 08)
- RE: Code snippets to disable browser caching Martin O'Neal (May 09)