[OWASP-Security101] about:cache shows sensitive info from memory even with HTTPS and headers set to no-store

StopEmailSpam StopEmailSpam stopemailspam at gmail.com
Sat Mar 24 19:47:35 UTC 2012


I'm building a web app, I have a valid SSL cert and I'm settings my headers
to no-store on my web pages.

But, my web app's sensitive https data is visable through
visiting "about:cache" and clicking to review the device memory. Even after
the web application is logged out and the web app's tab is closed
(i.e. other tabs in Firefox remain open.)

Any ideas for what I might be doing wrong?

Thank you
-SR

(P.S. I've also tried various header combinations of no-cache, no-store,
must-revalidate, private, max-stale=0, post-check=0 & pre-check=0)


More information about the Security101 mailing list