Information Disclosure via X-LiteSpeed-Purge Header
Description
The 'X-LiteSpeed-Purge' header reveals that LiteSpeed’s cache purge mechanism is in use, potentially exposing specific cache management or invalidation strategies. Attackers who learn the details of how cache purges are triggered may attempt cache poisoning, replay attacks, or exploit misconfigured purge endpoints. Additionally, disclosing this header can guide adversaries in creating denial-of-service conditions if they learn how to mass-invalidate caches or flood the purge mechanism. Ultimately, any leak of cache management internals broadens the attack surface by providing a roadmap for cache-based exploitation tactics.
Remediation
Remove or obscure the 'X-LiteSpeed-Purge' header within LiteSpeed Web Server settings to prevent disclosing cache purge information. Ensure that any reverse proxies, CDNs, or load balancers do not re-inject this header when responding to external requests. Keep all LiteSpeed components updated with the latest security patches to mitigate known vulnerabilities. Employ a Web Application Firewall (WAF) or intrusion detection system to detect abnormal requests targeting purge endpoints or cache manipulation techniques. Regularly audit server configurations and logs to confirm that no sensitive caching details, such as purge commands or internal routing, are inadvertently exposed to untrusted clients.
References
https://www.litespeedtech.com/docshttps://owasp.org/www-community/attacks/Cache_poisoningSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4