Use of Web Browser Cache Containing Sensitive Information
This weakness occurs when a web application stores sensitive data passwords, authentication tokens, personal information, financial details in the browser's…
This weakness occurs when a web application stores sensitive data (passwords, authentication tokens, personal information, financial details) in the browser's cache without proper controls. Once cached, this data may persist on disk long after the user closes their browser, making it accessible to anyone with physical or logical access to the device — particularly dangerous on shared computers, public terminals, or devices that are later sold or repurposed.
02How It Happens
Web browsers automatically cache HTTP responses to improve performance and reduce bandwidth. By default, most browsers cache responses marked with standard cache headers, including pages containing sensitive information. Developers often overlook cache directives when building authentication flows, account pages, or forms that handle passwords or tokens. The browser stores this cached content in a local directory on the user's machine, where it can be recovered even after the session ends — either through the browser's cache viewer, file system access, or forensic tools. The weakness is compounded on shared devices where multiple users access the same machine.
03Real-World Impact
An attacker with access to a shared computer (a library terminal, internet café, or office workstation) can retrieve cached pages containing login credentials, session tokens, or personal data. This enables account takeover, identity theft, or unauthorized access to sensitive accounts. On corporate networks, cached financial or health information could lead to compliance violations (HIPAA, PCI-DSS, GDPR). Even after a user believes their session is private, their sensitive data remains recoverable from the device's storage.
Why it's vulnerable: The response is returned without cache-control headers, so the browser caches the page containing the API token and user data. An attacker with device access can retrieve this cached HTML file.
Add Cache-Control: no-store, no-cache, must-revalidate, max-age=0 headers to all responses containing sensitive data (login pages, account dashboards, payment forms, admin panels).
Include Pragma: no-cache and Expires: 0 headers for compatibility with older browsers and proxies.
Never pass sensitive data (tokens, passwords, PII) in URL query parameters; use POST requests with secure session cookies instead.
Configure session cookies with HttpOnly and Secure flags to prevent JavaScript access and enforce HTTPS-only transmission.
Test your application in a private/incognito browser window and verify that sensitive pages do not appear in the browser's cache history.
Document which pages handle sensitive data and ensure cache headers are applied consistently across your application.
06Signs You May Already Be Affected
Check your browser's cache directory (typically ~/.cache/ on Linux, ~/Library/Caches/ on macOS, or %LOCALAPPDATA%\Cache\ on Windows) for HTML files from your application's sensitive pages. If you find cached versions of login pages, account dashboards, or payment forms, your application is not properly preventing cache storage. Review your web server or application logs for missing or incorrect cache-control headers on sensitive endpoints.