A PCI audit a few years ago (before HTML5) recommended we add this:
Code: Select all
<meta http-equiv="pragma" content="no-cache"><meta http-equiv="cache-control" content="no-store,no-cache">
Wikipedia lists both as valid: https://en.wikipedia.org/wiki/List_of_H ... der_fieldsThe "pragma" pragma directive specified by the "http-equiv" attribute is not recognized. Consider removing this tag. Visit https://www.w3.org/TR/html5/document-me ... directives and https://wiki.whatwg.org/wiki/PragmaExtensions for more information.
The "cache-control" pragma directive is not allowed and not used in HTML5. Furthermore, placing caching instructions into meta tags is not recommended because proxies may not handle them. Instead, use real HTTP headers to send caching instructions.
This thread throws a little more light on the subject: http://stackoverflow.com/questions/1031 ... ol-headers
Since requiring TLS 1.2 for all secure hits, I doubt we'd have too many "older clients" since IE9 isn't even allowed and all secure hits return HTTP/1.1.Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client from caching the response. Older clients may not support HTTP/1.1 which is why that header is still in use.
No doubt using headers for all secure pages would be the best route and I'll have to see if I can add it to our web application and see if it works to simply add a no-cache header without removing existing headers. I wouldn't be surprised if a scan would suggest re-adding it.
What's your impression?