Cache poisoning attacks result in malicious responses that are cached and served to other users.
Overview
A cache poisoning attack uses an HTTP request to trick an origin web server into responding with a harmful resource that has the same cache key as a clean request. As a result, the poisoned resource gets cached and served to other users.
Content Delivery Networks (CDN) like Cloudflare rely on cache keys to compare new requests against cached resources and determine whether the resource should be either served from the cached or requested directly from the origin web server.
Recommendations for avoiding cache poisoning
Below are some recommendations to help you prepare against cache poisoning vulnerabilities and attacks.
Learn about cache poisoning
To deepen your understanding of the risks and vulnerabilities associated with cache poisoning, consult the following resources:
Only cache files that are truly static
Review the caching configuration for you origin web server and ensure that you’re caching files that are static and do not depend on user input in any way.
To learn more about Cloudflare caching, review:
- Which file extensions does Cloudflare cache for static content?
- How Do I Tell Cloudflare What to Cache?
Do not trust data in HTTP headers
Client-side vulnerabilities are often exploited through HTTP headers, including cross-site scripting (XSS).
In general, you should not trust the data in HTTP headers and as such:
- Do not rely on values in HTTP headers if they’re not part of your cache key.
- Never return HTTP headers to users in cached content.
Monitor web security advisories
To keep informed about Internet security threats, it is important to monitor web security advisories on a regular basis. Some of the more popular advisories include: