Information Disclosure via X-Nextjs-Cache Header
Description
The 'X-Nextjs-Cache' header indicates that Next.js' internal caching or revalidation mechanisms are in use. By revealing how caching is managed, attackers may gain insights into potential weaknesses in cache invalidation, stale data handling, or the overall caching layer. Such knowledge could facilitate cache poisoning, replay attacks, or the serving of outdated content, especially if combined with other vulnerabilities. Ultimately, disclosing this header broadens the attack surface by allowing malicious actors to tailor exploits to Next.js' caching approach and exploit any misconfigurations or oversights.
Remediation
Remove or mask the 'X-Nextjs-Cache' header in production builds to prevent unauthorized parties from learning about caching internals. Configure Next.js server or any reverse proxies, CDNs, or load balancers to strip or rewrite this header. Keep Next.js and its plugins updated with the latest security patches, and periodically review your caching strategy to ensure it does not leak internal information. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor for suspicious requests aimed at cache poisoning or revalidation abuse. Regularly audit response headers and server configurations to confirm no sensitive operational data is inadvertently exposed.
References
https://nextjs.org/docs/going-to-productionhttps://owasp.org/www-community/attacks/Cache_poisoningSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.4
5.4