[OWASP-Security101] Security101 Digest, Vol 2, Issue 8

Thomas Stiehm thomas.stiehm at gmail.com
Mon Mar 26 19:35:21 UTC 2012

I believe the only way to make sure that the memory cache is clear is
to close FireFox completely. Just closing the tab your app was on
doesn't do it. Feature or bug, that is the way FireFox works. If I
remember correctly the no-cache controls only really deal with disk
cache and not memory cache. That is why most sensitive sites tell you
to close the browser down completely after using their site.

So to answer your question, you aren't doing anything wrong. FireFox
doesn't work the way you expect.


On Mon, Mar 26, 2012 at 8:00 AM,  <security101-request at lists.owasp.org> wrote:

> I'm building a web app, I have a valid SSL cert and I'm settings my headers
> to no-store on my web pages.
> But, my web app's sensitive https data is visable through
> visiting "about:cache" and clicking to review the device memory. Even after
> the web application is logged out and the web app's tab is closed
> (i.e. other tabs in Firefox remain open.)
> Any ideas for what I might be doing wrong?
> Thank you
> -SR
> (P.S. I've also tried various header combinations of no-cache, no-store,
> must-revalidate, private, max-stale=0, post-check=0 & pre-check=0)

More information about the Security101 mailing list