The Issue
The current default values for the Cache-Control header in both the SecureHeadersMiddlewareBuilder and CacheControl classes are incorrect. The current values are:
maxAge: 31536000 (in SecureHeadersMiddlewareBuilder)maxage: 86400 (in CacheControl)noStore: false (in both SecureHeadersMiddlewareBuilder and CacheControl)
See both of the following lines for the incorrect values:
https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/src/Extensions/SecureHeadersMiddlewareBuilder.cs#L259
https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/src/Models/CacheControl.cs#L66-L67
The correct values should be:
The above correct values come from https://owasp.org/www-project-secure-headers/#configuration-proposal-1:
[!QUOTE]
💻 To prevent such issue, the following caching policy can be specified:
Cache-Control: no-store, max-age=0
👀 Where:
- no-store: Is used to indicate that the response may not be stored in any cache.
- max-age=0: Is used to force the expiration of any cached version of the resources associated to the response.
Software Versions Used
- OwaspHeaders.Core version number: vLatest
- .NET SDK used: N/A
- IDE used: N/A
The Issue
The current default values for the Cache-Control header in both the
SecureHeadersMiddlewareBuilderandCacheControlclasses are incorrect. The current values are:maxAge: 31536000 (inSecureHeadersMiddlewareBuilder)maxage: 86400 (inCacheControl)noStore: false (in bothSecureHeadersMiddlewareBuilderandCacheControl)See both of the following lines for the incorrect values:
https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/src/Extensions/SecureHeadersMiddlewareBuilder.cs#L259
https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/src/Models/CacheControl.cs#L66-L67
The correct values should be:
maxage: 0noStore: trueThe above correct values come from https://owasp.org/www-project-secure-headers/#configuration-proposal-1:
Software Versions Used