Sub Optimal Cache Control Directives
What is it?
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for sub optimal or missing cache control headers.
What is the solution?
For secure content, ensure the cache-control HTTP header is set with 'no-cache, no-store, must-revalidate'. If an asset should be cached consider setting the directives 'public, max-age, immutable'.