[Owasp-csrfguard] cache control on error page?

Chris Hyzer mchyzer at isc.upenn.edu
Thu May 15 15:02:01 UTC 2014


If csrf guard sends the user to the no token or bad token page, should it set headers about not caching the response?

// Set standard HTTP/1.1 no-cache headers.
response.setHeader("Cache-Control", "private, no-store, no-cache, must-revalidate");

// Set standard HTTP/1.0 no-cache header.
response.setHeader("Pragma", "no-cache");

and maybe expires to 0?

Maybe this is only a problem where something was not whitelisted, then you allow it, and browser might have it cached...

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140515/0580cddd/attachment.html>


More information about the Owasp-csrfguard mailing list