Background
In many cases, the users' web browsing experience can be made more efficient by allowing web browsers to cache pages, images, scripts, and other content. This allows the web browser to retrieve content from the local disk rather than requesting data from the server every time. The end result is a quicker, more responsive user interface.
While this strategy is great for applications that handle public, non-sensitive information, it may not be appropriate for banking, investment, health care, or other similar applications. In general, applications that contain sensitive or confidential information should have controls that reduce the likelihood of information being disclosed to unauthorized individuals.
One way web applications can reduce the likelihood of browsers disclosing sensitive data through caching is to include the following HTTP headers within the server's response.
Struts Interceptor Implementation
One way these headers can be included within a Struts 2 application is to create a custom interceptor. An example has been provided below.
CachingHeadersInterceptor Code
(Click the image above to view the code)
Struts.xml
(Click the image above to view the XML)
Results
The code repository containing updated struts 2 modules can be found below:
http://code.google.com/p/struts2securityaddons/
Additionally, you can see discussion of these modules in my earlier blog posts:
In many cases, the users' web browsing experience can be made more efficient by allowing web browsers to cache pages, images, scripts, and other content. This allows the web browser to retrieve content from the local disk rather than requesting data from the server every time. The end result is a quicker, more responsive user interface.
While this strategy is great for applications that handle public, non-sensitive information, it may not be appropriate for banking, investment, health care, or other similar applications. In general, applications that contain sensitive or confidential information should have controls that reduce the likelihood of information being disclosed to unauthorized individuals.
One way web applications can reduce the likelihood of browsers disclosing sensitive data through caching is to include the following HTTP headers within the server's response.
Cache-control: no-cache, no-storeFor more information, please see the OWASP AppSec FAQ.
Pragma: no-cache
Expires: -1
Struts Interceptor Implementation
One way these headers can be included within a Struts 2 application is to create a custom interceptor. An example has been provided below.
CachingHeadersInterceptor Code
(Click the image above to view the code)<Source>
@SuppressWarnings("serial")
public class CachingHeadersInterceptor extends AbstractInterceptor {
public String intercept(ActionInvocation invocation) throws Exception {
final ActionContext context = invocation.getInvocationContext();
HttpServletResponse response = (HttpServletResponse)context.get(StrutsStatics.HTTP_RESPONSE);
if(response != null) {
response.setHeader("Cache-control", "no-cache, no-store");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", "-1");
}
return invocation.invoke();
}
}
</Source>
Struts.xml
(Click the image above to view the XML)<Source>
<interceptors>
<interceptor name="cachingHeadersInterceptor" class="org.maruara.web.interceptors.CachingHeadersInterceptor" />
<interceptor-stack name="defaultSecurityStack">
<interceptor-ref name="defaultStack" />
<interceptor-ref name="cachingHeadersInterceptor" />
</interceptor-stack>
</interceptors>
</Source>
Results
Server: Apache-Coyote/1.1
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html
Content-Length: 157
Date: Sat, 18 Oct 2008 18:37:35 GMT
200 OK
The code repository containing updated struts 2 modules can be found below:
http://code.google.com/p/struts2securityaddons/
Additionally, you can see discussion of these modules in my earlier blog posts:
- http://nickcoblentz.blogspot.com/2008/09/jsessionid-regeneration-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/http-caching-headers-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/ssltls-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/10/custom-error-pages-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/11/csrf-prevention-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/11/page-level-access-controls-in-struts-2.html
- http://nickcoblentz.blogspot.com/2008/12/page-level-access-controls-in-struts-2.html