Identity 4.4.0

Security enhancements

Cache Control

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS.

The cache can be used to maintain a pool of objects, threads, connections, pages, or passwords to minimise the time it takes to access them or the resources to which they connect. If implemented improperly, these caches can allow access to unauthorised information.

Applications should return caching directives instructing browsers not to store local copies of any sensitive data. This can be achieved by configuring the web server to prevent caching for relevant paths within the web root, or by control over the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

The Cache-Control general-header field is used to specify directives for caching mechanisms in both requests and responses. Caching directives are unidirectional, meaning that a given directive in a request is not implying that the same directive is to be given in the response.

The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. It is used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not yet present.

Browser cache vulnerabilities from the OWASP application security FAQ: • https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Browser_Cache Caching in HTTP: • https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html Common weakness enumeration (CWE) information on caching information exposures: • https://cwe.mitre.org/data/definitions/524.html • https://cwe.mitre.org/data/definitions/525.html

Hiding swagger

Swagger UI cab be turned off.

Swagger UI has a lot of information about the website and environment that the application is based in. Any internet user is able to access the page and retrieve the version of page and when it was built, parameter names and data types, all API endpoints and their structure required to send the request to the server.