Cache-Control 在 IIS 上的設定

前陣子公司專案由第三方弱掃，接下來的筆記就會紀錄多個專案都有的問題點

Cache Management: Insecure Policy ( 11306 )

Summary

WebInspect has detected a potentially unsafe cache control policy for secure content. While content transmitted over an SSL/TLS channel is expected to guarantee confidentiality, administrators must nonetheless ensure that caching of sensitive content is disabled unless absolutely needed. The misconception that secure content caching is disabled by default by user-agents could cause the application to fail the organization’s cache policy by leaving the secure content cacheable by browsers. Unsafe specification such as Cache-Control: public would instruct the browser to persistently cache the content on the hard drive. Caching can be prevented by specifying one of the following three directives in the response headers

· Cache-control: private
· Cache-Control: no-cache
· Cache-Control: no-store

第三方的掃描軟體為 Fortify WebInspect Enterprise ，這是一套付費軟體，提供 15 天的試用，而且功能全部開放試用，但是鎖定只能掃描 zero.webappsecurity.com

IIS 設定方式

在微軟的文件中有關於 Client Cache 的設定說明，以下列出 cache-control 在 response 的設定

• Cache-Control: must-revalidate
• Cache-Control: no-cache
• Cache-Control: no-store
• Cache-Control: no-transform
• Cache-Control: public
• Cache-Control: private
• Cache-Control: proxy-revalidate
• Cache-Control: max-age=<seconds>
• Cache-Control: s-maxage=<seconds>

在 IIS 的操作介面中設定相當便利，只要選擇 HTTP 回應標頭 就可以進入設定

接著選擇設定一般標頭就可以設定快取時間

使用 web.config 設定

設定不使用快取

<configuration>
   <system.webServer>
      <staticContent>
         <clientCache cacheControlMode="DisableCache" />
      </staticContent>
   </system.webServer>
</configuration>

設定過期時間為 8 天

<configuration>
   <system.webServer>
      <staticContent>
         <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="8.00:00:00" />
      </staticContent>
   </system.webServer>
</configuration>

設定完成檢驗

檢查方式可以透過 Chrome 等瀏覽器，開啟開發者工具，透過 Network 就可以觀察到 response headers

參考資料

• IIS/ASP.NET responds with cache-control: private for all requests
• Microsoft docs