Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R177. Avoid caching and temporary files

This document contains the details of the security requirements related to the definition and management of sensitive information in the organization. This requirement establishes the importance of storing sensitive data securely, avoiding temporary files and cache memory.


The system must not store sensitive information in temporary files or cache memory.


Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.


  1. CWE-524: Use of Cache Containing Sensitive Information The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

  2. CWE-525: Use of Web Browser Cache Containing Sensitive Information The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

  3. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  4. GDPR. Art. 5: Principles relating to processing of personal data.(1)(f). Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

  5. OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.1) Verify the application protects sensitive data from being cached in server components such as load balancers and application caches.

  6. OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.2) Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.

  7. OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.1) Verify the application sets sufficient anti-caching headers so that sensitive data is not cached in modern browsers.

  8. OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.2) Verify that data stored in client side storage (such as HTML5 local storage, session storage, IndexedDB, regular cookies or Flash cookies) does not contain sensitive data or PII.

Service status - Terms of Use