177 – Avoid caching and temporary files

Summary

The system must not store sensitive information in temporary files or cache memory.

Description

Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.

Supported In

Essential: True

Advanced: True

References

• CWE-285. Improper authorization
• CWE-377. Insecure temporary file
• CWE-524. Use of cache containing sensitive information
• CWE-525. Use of web browser cache containing sensitive information
• EPRIVACY-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP10-A2. Cryptographic failures
• CERTJ-FIO03-J. Remove temporary files before termination
• NYSHIELD-5575_B_6. Personal and private information
• HITRUST-09_h. Capacity management
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• WASC-W_13. Information leakage
• NISTSSDF-PS_3_1. Archive and protect each software release
• PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
• OWASPSCP-8. Data protection
• ASVS-8_1_2. General data protection
• CASA-13_1_4. Generic Web Service Security
• OWASPLLM-LLM02:2025. Sensitive Information Disclosure
• OWASPLLM-LLM07:2025. System Prompt Leakage
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 136 – Insecure or unset HTTP headers - Cache Control
• 213 – Business information leak - JWT
• 214 – Business information leak - Credentials
• 215 – Business information leak - Repository
• 216 – Business information leak - Source Code
• 217 – Business information leak - Credit Cards
• 218 – Business information leak - Network Unit
• 219 – Business information leak - Redis
• 220 – Business information leak - Token
• 221 – Business information leak - Users
• 222 – Business information leak - DB
• 223 – Business information leak - JFROG
• 224 – Business information leak - AWS
• 225 – Business information leak - Azure
• 226 – Business information leak - Personal Information
• 227 – Business information leak - NAC
• 228 – Business information leak - Analytics
• 229 – Business information leak - Power BI
• 230 – Business information leak - Firestore
• 291 – Business information leak - Financial Information
• 336 – Business information leak - Corporate information
• 019 – Administrative credentials stored in cache memory
• 028 – Insecure temporary files
• 038 – Business information leak
• 065 – Cached form fields
• 080 – Business information leak - Customers or providers
• 085 – Sensitive data stored in client-side storage

Last updated

2025/06/17