WebApp Sec mailing list archives
RE: Publishing Web Based Application via ICA protocol
From: "Jose Varghese" <jose.varghese () paladion net>
Date: Mon, 1 Aug 2005 12:10:59 +0530
Hi Saqib, I would like to inform you that setting the right "Cache-Control" header can help in preventing a browser cache doc/pdf/xls type of files. To prevent the files being cached, the following needs to be done: 1. Dynamically stream the document to the browser. 2. Set the cache control header to "NO-STORE". 3. Ensure that the connection is HTTPS. I had written a tiny snippet of code in ASP and simulated the same using Microsoft IIS 6.0. Both Mozilla and Internet Explorer browsers will not cache the application files if they are served on a HTTPS connection. Regards Jose Varghese Paladion Networks http://palisade.paladion.net -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Saturday, July 16, 2005 8:00 PM To: jose. varghese @ paladion. net Cc: webappsec () securityfocus com Subject: Re: Publishing Web Based Application via ICA protocol Hello Jose, I went through the document, and here is my feedback: 1) I far as I know, CACHE-CONTROL header does NOT provide protection agaist caching of doc/pdf/xls/vsd files. The files still get downloaded locally on the machine for viewing, and remain in the Internet Tempory Files folder. Am I wrong? Please let me know if this is not the case. Thanks. 2) I do dynamically render all the documents. In addition I also using anti-leeching methods to prevent traversal, and/or direct linking.
Regarding the issue of sensitive documents getting cached at the client machine , Andres Desa discusses this and more about secure document delivery over Internet in the paper http://www.paladion.net/papers/Document_Security_in_Web_Applications.pdf.
-- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Publishing Web Based Application via ICA protocol Saqib Ali (Jul 13)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 14)
- <Possible follow-ups>
- RE: Publishing Web Based Application via ICA protocol Welsh, Ed (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- Re: Publishing Web Based Application via ICA protocol Chuck (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Justin Clarke (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 14)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 14)
- Re: Publishing Web Based Application via ICA protocol jose . varghese (Jul 15)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Jose Varghese (Aug 02)
- Re: Publishing Web Based Application via ICA protocol Saqib Ali (Jul 16)
- RE: Publishing Web Based Application via ICA protocol Evans, Arian (Jul 18)