# Caching and Cache Poisoning Defenses One-sentence definition: Configure caches to prevent serving attacker-controlled or sensitive content. ## Key Facts - Set `Cache-Control`: `no-store` for sensitive; `private` for user-specific. - Use `Vary` for headers that affect response (Authorization, Accept-Encoding). - Normalize URLs; disallow ambiguous encodings; protect key calculation. - Separate static vs dynamic routes; purge on deploy; sign assets. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize cache poisoning vectors via header confusion. **Mnemonic:** “**Cache carefully, or don’t**.” ## Mini Scenario Q: Attacker poisons cached JS—what prevents? A: Immutable asset names with hashes and signature verification. ## Revision Checklist - Two directives for sensitive data. - Vary usage. - Asset hashing purpose. ## Related [[Edge and CDN Security (WAF TLS Caching)]] · [[Secure HTTP Headers (HSTS Frame Ancestors CORS)]] · [[Web XSS Defenses and Content Security Policy (CSP)]] · [[Build Integrity and Supply Chain Security (Signing Provenance)]] · [[Domain 8 - Index]]