Cacheable SSL page found, Bundling and Minification

Question

We have an MVC application that is scanned for security issues by a third party company using IBM app scan. The problem is that we have multiple issues raised because of Bundling and Minification, for example

enter image description here

The entire point is that bundling and minification will cache your stylesheets and javascript files. Unfortunately we will not get sign off without resolving these issues. Any ideas on how we can get past this?

Sounds like just another security company who blindly runs an appscan or burp scan without interpretting results. You're fine. — Lucas Kauffman, Aug 04 '14 at 16:36
what @CodesInChaos says (well perhaps slightly more diplomatically). Your security consultants shouldn't be taking issues directly from AppScan and presenting them to the customer. Caching may be an issue if the cached files contain sensitive information. In this case it seems very unlikely to be an issue and the real answer is that the consultant should have to explain *why* this is a problem in this case before caching is disabled... — Rory McCune, Aug 04 '14 at 16:37
Perhaps a url ending in `something.js` would avoid the false positive. A bit of googling seems to suggest that the scanner tries to exclude static content from this warning via file extensions - your url might not match their exclusion pattern. — CodesInChaos, Aug 04 '14 at 16:40
Like @LucasKauffman mentioned, the company blindly runs appscan without interpretting the results, unfortunately I have to adhere to their instructions and disable caching. I'm pretty sure I will be the first guy hearing from them when application slows up. — Andre Lombaard, Aug 05 '14 at 08:56

score 2 · Answer 1 · answered Aug 04 '14 at 15:25

Unfortunately the client would not accept the fact that his CSS and javascript files are cached and asked to disable all caching, which resolved all of the issues.

To achieve this I added the following method to the Global.asax file to disable caching for each request made to the server.

protected void Application_BeginRequest()
{
    HttpContext.Current.Response.Cache.SetAllowResponseInBrowserHistory(false);
    HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
    HttpContext.Current.Response.Cache.SetNoStore();
    Response.Cache.SetExpires(DateTime.Now);
    Response.Cache.SetValidUntilExpires(true);
}

This will add the Cache-Control: no-store and Pragma: no-cache to the response headers. Below is an image of the the headers using Fidler

Please note that bundling and minification is still used, but the files are not cached. Please use caution when taking this route, as mentioned caching will be turned off for the entire application.

Hi Andre, What is the solution here if we want to cache the pages? It is obvious that most of the application cache the http response to improve the response time, so in that case how to prevent this? — Ashish Shukla, Sep 18 '19 at 09:36
Hi, @AshishShukla this route was only taken because of the client not fully understanding the app scan results and would not accept professional opinion on this. This was purely a warning that sensitive information can be obtained if stored within your cached files. So the solution? Don't disable caching as indicated by my solution above. — Andre Lombaard, Sep 18 '19 at 20:50

score 1 · Answer 2 · edited May 23 '17 at 11:54

You can have a look at the bundle transforms. It is not a complex process and does not require disabling browser cache for the whole application. The downside is that it doesn´t gives you too much control over the response, although it gives you the option to disable the browser caching.

Please note that with this approach you can only set cache-control as no-cache and you cannot set it as no-store. So I am not sure if your client would accept that! (If this doesn´t help, it might be worth keeping an eye on new features for bundle transforms, as they plan to give more control over the cache headers as per this SO response)

If you think this will be enough, then start by creating a new transform DisableCacheOverHttpsTransform that implements IBundleTransform. The transform will check if the current request is over a secure connection and in that case it will disable browser caching for the bundle:

public class DisableCacheOverHttpsTransform : IBundleTransform
{
    public void Process(BundleContext context, BundleResponse response)
    {
        if (context.HttpContext.Request.IsSecureConnection)
        {
            //disable cache on https
            response.Cacheability = HttpCacheability.NoCache;
        }
    }
}

Now all you need to do is make sure your script and css bundles use this transform. You can use this code to add this transform to all bundles (this should be at the end of your RegisterBundles(BundleCollection bundles) method):

public static void RegisterBundles(BundleCollection bundles)
{
    ...

    //Discomment to try bundling in debug
    //BundleTable.EnableOptimizations = true;

    var transform = new DisableCacheOverHttpsTransform();
    foreach (var bundle in bundles)
    {
        bundle.Transforms.Add(transform);
    }
}

With these changes, when your application is running over https, the responses for your script and css bundles will include the headers Cache-Control:no-cache and Pragma:no-cache.

Hope it helps!

Thank you, this sounds like a much better solution than to disable caching for the entire site, my client will probably not accept this change but will test this and mark as the correct answer once verified. — Andre Lombaard, Aug 05 '14 at 08:47
If they don't accept that either, the last comment by @CodesInChaos may be worth exploring (adding js/css extension and see if the app scan then ignores caching for those requests)... (I never tried this, but a quick search showed [this approach](http://stackoverflow.com/questions/12931461/is-there-any-way-to-have-a-file-extension-in-a-bundle-name) ) — Daniel J.G., Aug 05 '14 at 08:54
Thank you, will explore these approaches. For now it doesn't really seem like they care to much about the caching of files, they will probably pay us again to change this back somewhere in the future :) — Andre Lombaard, Aug 05 '14 at 09:12

score 0 · Answer 3 · answered Mar 13 '17 at 13:07

I have used a similar approach. But these minor differences allow a client and server cache while stopping any proxy cache. This seems to be a middle ground for AppScan and Developer.

    Response.Cache.SetCacheability(HttpCacheability.ServerAndPrivate);
    Response.Cache.SetRevalidation(HttpCacheRevalidation.ProxyCaches);
    Response.Cache.SetExpires(DateTime.Now);
    Response.Cache.SetNoStore();
    Response.Cache.SetMaxAge(new TimeSpan(0, 0, 30));
    Response.AppendHeader("Pragma", "no-cache");

Cacheable SSL page found, Bundling and Minification

3 Answers3