Rule Definition
Ensure the client-side is always up to date with the server. Prevent the client browser to cache pages that could be misused or outdated and then give bad information to the user.
Remediation
Ensure you are manually setting up the No Cache headers in your express instance or use third-party helmet package
Violation Code Sample
var express = require('express');
var app = express();
app.get('/', function(req, res){
res.send("<html><body>hello world<script type='text/javascript'>alert('got you')</script></body></html>");
});
app.listen(3000);
Fixed Code Sample
var express = require('express');
var app = express();
var helmet = require('helmet');
app.use(helmet)
// direclty use nocache package
var nocache = require('nocache')
app.use(nocache())
// or with helmet
app.use(helmet.noCache())
app.get('/', function(req, res){
res.send("<html><body><p>hello world</p><script type='text/javascript'>alert('got you')</script></body></html>");
});
app.listen(3000);
Reference
https://helmetjs.github.io/docs/nocache/
https://expressjs.com/en/advanced/best-practice-security.html
Related Technologies
Technical Criterion
PCI-DSS4-Requirement-2.2.6 - System security parameters are configured to prevent misuse
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.