Possible error in 4.4.6 Testing for Browser Cache Weaknesses

[aBUDmdBQ]

What's the issue?
In 4.4.6 Testing for Browser Cache Weaknesses in the paragraph Browser History it says:
"The Back button can be stopped from showing sensitive data. This can be done by:

Delivering the page over HTTPS.
Setting Cache-Control: must-revalidate

"
In a recent penetration test I had the issue that by using the back button after logging out I could retrieve the information previously shown again. I then modified the headers in the response to see if the advise from above works. At least in Firefox it did not, for other browsers I did not test it. After setting Cache-Control: must-revalidate the information could still be retrieved in the described way.

How do we solve it?
According to https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers the correct setting for the headers are:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

At least in my tests I could confirm that these headers resolved the issue.

Would you like to be assigned to this issue?
Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

• Assign me, please!

[ThunderSon]

@kingthorin what do you think?
That section below it, about the browser cache mentions those 3 headers.

Testing between cache and history is a slightly tricky game, should we partially merge the section and recommendations?

[mademarc]

Hey @aBUDmdBQ how can i help and contribute to resolve this issue?

please let me know and thanks

[kingthorin]

The best first step would be to read the comments here and see if you agree with @ThunderSon's suggestion (he's one of the project leads 😉).

[mademarc]

Hey @kingthorin Yes i have read the CONTRIBUTING.md and Yeah i also agree with @ThunderSon as i have some points to help out, should i post them here on the comment section?

[kingthorin]

Here is good, then everyone can collaborate and land in the right place/plan.

[aBUDmdBQ]

Hey you all,
first I want to thank you for your comments. In the section about the browser cache mentioned by @ThunderSon the must-revalidate is missing, so it is not exactly the same as in my post.
From my understanding of the directives the setting no-cache, no-store, must-revalidate also seems a bit paradoxic.
According to [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control] no-cache means the response can be cached but before serving it the server needs to be contacted. no-store means the response must not be cached at all.
From my understanding it should be sufficient to set Cache-Control: no-store to disable the caching completely.
As far as I know the Expires Header also should not be necessary if using no-store. In the case of older clients that do not support no-store you could also use max-age in the Cache-Control-Header. The Pragma Header is for legacy clients as far as I know.
So as a minimum I would recommend the headers:
Cache-Control: no-store
Pragma: no-cache

Right now I do not have the opportunity to test this. But if I get to test it soon, I will add my findings here.