[OWASP-ESAPI] setNoCacheHeaders
Jim Manico
jim at manico.net
Thu Jan 3 16:56:50 EST 2008
Thank you for your comments on pragma:no-cache. Sorry that I missed the
JavaDoc. The information I've read on using pragma:no-cache in the
response is overwhelming. However, I defer to your expertise on this
matter.
I'm clear on setContentType and see that you are setting it globally via
ESAPI.properties.
Thanks again for your response, I'm clear on both of these features now.
Best,
Jim
***
Jeff Williams wrote:
>
> Hi Jim,
>
>
>
> From the Javadoc for the HTTPUtilities.setNoCacheHeaders() method…
>
>
>
> * Note that the header "pragma: no-cache" is only useful in HTTP
> requests, not HTTP responses. So even though there
>
> * are many articles recommending the use of this header, it is
> not helpful for preventing browser caching. For more
>
> * information, please refer to the relevant standards:
>
>
>
> On the subject of content-type – are you looking for something
> different than the existing setContentType() method? It’s driven off
> a property in ESAPI.properties, so you set the content-type for the
> application globally.
>
>
>
> --Jeff
>
>
>
> *From:* owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Monday, December 17, 2007 1:24 PM
> *To:* owasp-esapi at lists.owasp.org
> *Subject:* Re: [OWASP-ESAPI] setNoCacheHeaders
>
>
>
> For the case of HTTP 1.0 client caches, I think we can skip meta-tags
> all together and just add an additional header!
>
> public void setNoCacheHeaders() {
> HttpServletResponse response =
> Authenticator.getInstance().getCurrentResponse();
>
> // HTTP 1.1
> response.setHeader("Cache-Control", "no-store");
> response.setHeader("Cache-Control", "no-cache");
> response.setHeader("Cache-Control", "must-revalidate");
>
> // HTTP 1.0
> response.setDateHeader("Expires", -1);
>
> * //NEW 1.0 ADDITION
> response.setHeader("**Pragma**", "**no-cache**");*
> }
>
> It's been a while, but last time I tested this (in the 1.0 client era)
> it worked just fine for the Netscape 3's and the like.
>
> But this leads me to the question, what about character sets? Do we
> need to add those as a meta-tag (not my preference) or can we win with
> just a (more reliable) header?
>
> From what I'm reading here (section 5.5): http://www.w3.org/TR/html4/charset.html
>
> We can skip this:
>
> <META http-equiv="Content-Type" content="text/html; ">
>
>
> and (something like) just do this instead
>
> //header Content-Type: text/html; charset=EUC-JP
> //maybe call this "setEnglish" ?
> public void setISO8859() {
> HttpServletResponse response =
> Authenticator.getInstance().getCurrentResponse();
>
> // latin-1 default character set
> response.setHeader("Content-Type", "text/html;
> charset=ISO-8859-1");
> }
>
> or
>
> //header Content-Type: text/html; charset=UTF-8
> //maybe call this "setInternational" ?
> public void setUTF16() {
> HttpServletResponse response =
> Authenticator.getInstance().getCurrentResponse();
>
> // latin-1 default character set
> response.setHeader("Content-Type", "text/html; charset= UTF-16");
> }
>
> Sorry to segue poorly, but I think the parent topic here is really how
> we can avoid dealing with meta-tags, which although easier and cleaner
> in some cases, is not as reliable.
>
> --
> Best Regards,
> Jim Manico
> VP Software Engineering, Codemagi Inc.
> Application Security Instructor, Aspect Security
> jim at codemagi.com <mailto:jim at codemagi.com>
> 808.652.3805 (c)
> 484.259.3805 (f)
>
>
>
> Jeff Williams wrote:
>
> Good question. I thought about this, but I’m not sure what the API
> should look like. The existing API works on the
> HttpServletResponse, so it’s easy. To add a <meta> tag to the
> HTML would require the programmer to remember to call this from
> within his JSP pages and/or servlets that generate HTML by hand.
> What do you think the API should look like?
>
>
>
> public String getNoCacheTags() {
>
> return “<META HTTP-EQUIV="Pragma" CONTENT="no-cache">”;
>
> }
>
>
>
> --Jeff
>
>
>
> *From:* owasp-esapi-bounces at lists.owasp.org
> <mailto:owasp-esapi-bounces at lists.owasp.org>
> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Saturday, December 15, 2007 10:46 PM
> *To:* owasp-esapi at lists.owasp.org <mailto:owasp-esapi at lists.owasp.org>
> *Subject:* [OWASP-ESAPI] setNoCacheHeaders
>
>
>
> Jeff,
>
> For your ESAPI HTTPUtilities reference implementation, why did you
> skip
>
> <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
>
> Pragma no-cache will help us win (in addition to everything else)
> for older clients, see section 14.9 of
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html - at the
> very least this addition will do no harm. I would agree that it's
> very unlikely to be necessary, but I would vote to add it in
> anyways as a defense-in-depth measure.
>
> public void setNoCacheHeaders() {
> HttpServletResponse response =
> Authenticator.getInstance().getCurrentResponse();
>
> // HTTP 1.1
> response.setHeader("Cache-Control", "no-store");
> response.setHeader("Cache-Control", "no-cache");
> response.setHeader("Cache-Control", "must-revalidate");
>
> // HTTP 1.0
> response.setDateHeader("Expires", -1);
> }
>
>
>
>
>
>
>
>
>
>
> --
> Best Regards,
> Jim Manico
> VP Software Engineering, Codemagi Inc.
> Application Security Instructor, Aspect Security
> jim at codemagi.com <mailto:jim at codemagi.com>
> 808.652.3805 (c)
> 484.259.3805 (f)
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.17.13/1208 - Release Date: 1/3/2008 3:52 PM
>
--
Best Regards,
Jim Manico
VP Software Engineering, Codemagi Inc.
Application Security Instructor, Aspect Security
jim at codemagi.com
808.652.3805 (c)
484.259.3805 (f)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080103/55486ad3/attachment-0001.html
More information about the OWASP-ESAPI
mailing list