By default, proxy caches do not decrypt or cache encrypted pages (those delivered over an SSL connection). So, as long as pages containing sensitive information, such as credit card details, are delivered over an SSL connection, your customers' information will be not be stored on the proxy server. However, if you are responsible for the proxy server, you should check its cache settings to make sure it is not caching sensitive pages. For example, ISA Server can be configured to cache SSL response traffic that is bridged.
If you're a developer and want to ensure that some or all of your pages aren't cached, add the "Expires" attribute and set the expiration date in the past on the relevant pages. For example:
<META HTTP-EQUIV="Expires" CONTENT="Thu, 01 Dec 1998 12:00:00 GMT">
Version 1.1 of the HTTP standard added a new field called Cache Control and one of the options for this attribute is "no-cache" as in:
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
This instructs caches not to keep a copy of the representation under any condition. Two caveats, though:
- Internet Explorer does not obey this instruction for non-HTML pages such as PDF documents.
- Older browsers that only support HTTP 1.0 do not obey this instruction either.
While many developers believe that assigning a "Pragma: no-cache HTTP header" will make a page uncacheable, this is unreliable and should be avoided because, technically, it is incorrect -- the HTTP standard specifies Pragma as a header to be sent by clients when requesting a fresh copy of a page, not by servers.
Finally, both IE and Netscape have an option to cache documents locally obtained via SSL. It is important to note that if this option is enabled, anyone who gains access to the computer could read any personal information contained within the document because again, it will be stored in the browser's cache.
This was first published in December 2005