dropwizard-web-security icon indicating copy to clipboard operation
dropwizard-web-security copied to clipboard

Published 20 hours ago verified publisher icon palantir

cache headers in the security bundle

Open jmcampanini opened this issue 9 years ago • 8 comments

consider adding cache headers. an example of this (and rationale) can be found here: Spring Security Cache Controls.

the goal would be to add these headers only if they haven't already been set. this would allow servlets to still define their caching functionality.

the proposed implementation would be to:

  1. if the Cache-Control or Pragma header is set, do not set anything
  2. set the 3 headers listed below to the values configured

this will follow the same priority for configuration as the rest of the bundle (high to low): YAML > coded values > default values of bundle.

the headers and their default values:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0

// tagging for SA: @qinfchen @derekcicerone @jlz27 @rcchen

jmcampanini avatar Feb 17 '16 17:02 jmcampanini

Why is this part of the security bundle?

derekcicerone-zz avatar Feb 17 '16 17:02 derekcicerone-zz

there seems to be sufficient security implications to not having these headers properly set:

  1. https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Browser_Cache
  2. https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/#cache-control

considering the security implications and that the majority of our services are already setting this with one-off filters makes me think that it's common security-related code that fits within the context of the web-security bundle.

jmcampanini avatar Feb 17 '16 17:02 jmcampanini

Lets discuss offline, maybe there is something I'm not entirely understanding here because I don't see why the defaults built into Jetty aren't sufficient.

derekcicerone-zz avatar Feb 17 '16 18:02 derekcicerone-zz

discussed offline. will come back to this later and investigate a better caching strategy for our apps in general. at this point, there is no pressing need as each application is handling this on their own.

jmcampanini avatar Feb 17 '16 23:02 jmcampanini

@jmcampanini can I close this?

tomshen avatar May 09 '16 20:05 tomshen

Hi, Any plans of adding the Cache-Control and Pragma headers to the doordeck/dropwizard-web-security project? Lack of these headers shows up as a vulnerability in scans. (Though it is low priority)

vanditamathur avatar Mar 12 '19 14:03 vanditamathur

Dropwizard does ship with a native @CacheControl annotation at https://www.dropwizard.io/1.3.9/docs/manual/core.html#caching, if that helps.

jplock avatar Mar 12 '19 14:03 jplock

Thanks @jplock for the pointer. However, it would be good to have a single global place to do this. Have a lot of resource files and functions and it would be difficult to annotate all of them.

vanditamathur avatar Mar 13 '19 05:03 vanditamathur