Browserker incorrectly caches resources with a no-store cache directive
Problem
DAST scans ignore the Cache-Control
no-store on HTTP response headers. This can cause resources to be incorrectly cached, and therefore, pages may not load correctly when DAST scans customer applications.
Proposal
DAST should not cache resources of any type that contain no-store in the Cache-Control response header.
Implementation plan
-
HTTPMessage.IsCacheable
should look forCache-Control
no-store
in the Response, similar to how it does in the Request. See HTTPMessage. -
HTTPMessage.IsCacheable
should return false when Response isnil
. Messages can have a nil response when the server does not respond to a HTTP request. - Add unit tests.
Reference
Related to customer support issue https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/240.
Edited by Cameron Swords