If you asked the web developers at XYZ Insurance, a mere network engineer like Billy had no business snooping around in their code. “He probably doesn’t even know what HTML stands for,” they’d sneer, and they kept sneering until a routine change to fulfill an audit requirement brought their internal website grinding to a halt.


Green Gecko gobeirne
This article is actually about a health insurance company, but they don’t generally have cute CGI mascots

It was a security audit, and Billy had already seen the audit report. It was produced by a contractor at the request of corporate. There were two main problems with the internal site, and both were serious enough that Management told the developers to drop everything and fix them:

  1. The main insurance policy application allowed caching of HTTPS responses, which meant sensitive information might survive a browser session in the local cache, potentially making it available to unauthorized users
  2. The login / forgot password / change password forms allowed auto-completion, again potentially exposing credentials to those unworthy thereof

Now, Billy was no web developer, but he understood the proposed solutions: set a Cache-control: no-store header on all pages with sensitive information (policy details, social security numbers, etc.), and add autocomplete="off" to the <form> tags that contained password fields. Simple. So simple, that when insurance agents started calling the support line complaining of empty white screens and sluggish responses, Billy’s team assumed their infrastructure must be to blame.

“Definitely no network issues, Billy” one of his technicians reported.

“And the load balancers?” Billy asked.

“An awful lot of throughput, we’re at like 15-mbit, steady. But there doesn’t seem to be anything wrong with them.”

“It’s been four days!” Billy put his face in his hands. “We’re gonna have to get Cisco on the phone.”

The technician shuddered. “That’s always fun. And expensive. Are you sure there’s nothing left to check?”

Billy thought long and hard. “Well… I guess we’ve assumed the developers already debugged their end, but…” He opened up a browser and its debugger and plunged into the forbidden world of web development. The first thing he noticed was a Cache-control: no-store header on a page containing static content. A few more requests revealed the same. Did the developers really disable caching for every response in the application, forcing even mundane images, stylesheets, and scripts to be served over again on every round-trip? Turns out, that’s exactly what the developers had done. Billy escalated to Management, and the fix was soon rolled out.

All was well for a few days- the weekend, really- but bright and early on Monday, another of Billy’s teammates pointed out that his browser was still offering to auto-fill his password. Billy started snooping around again and found that, while caching was disabled on the site’s login form, autocomplete was not. On a hunch, Billy logged into a test account and opened a policy.

“The page is still caching!”

“No way,” Billy’s teammate came over to look at the developer console. “Do you think they could just be messing with us?”

“Anything’s possible. We’d better get some screenshots of the sensitive data still in cache before we raise this with Management.”

Billy’s intuition turned out to be right; Management was skeptical that the network engineers were turning up so many bugs that the developers had missed, and initially dismissed the complaints. The proof was in the screenshots, however, and Management arranged a meeting to “circle the wagons and cut the churn.”

After Billy raised his points, the dev manager rolled his eyes. “We were given two instructions,” the dev manager explained: “roll-back the disabled caching, and secure the login form. So that’s what we did. I’m not sure I see the problem.”

At first, Billy didn’t know how to respond. He took his copy of the auditor’s report, circled the two key recommendations in red, and passed it over to the dev manager.

“If you’ll take a look at the report, you’ll see there are another two instructions. Would you please ask the developers to do those next?”

The dev manager huffed. “Fine.”

The next day, caching was disabled site-wide again.