Ticket #1121 (new defect)

Opened 8 years ago

[S] Secured URLs can be cached by proxy servers

Reported by: pjkersha Owned by: pjkersha
Priority: required Milestone:
Component: security Version:
Keywords: Cc:

Description

Ref.  http://esgf.org/bugzilla/show_bug.cgi?id=11 ...

If the user is behind a caching web proxy secured URLs may be cached and served to unauthorized users.

Once a user downloads a secured file with a client certificate it can be retrieved again without giving credentials. This has been confirmed from behind the BADC web proxy for requests to BADC and JPL datanodes.

TDS should set the header "Cache-Control: no-cache" to instruct caches not to cache secured URLs.

Create a new WSGI filter to add this th the HTTP header of responses.

Note: See TracTickets for help on using tickets.