Missing Clear-Site-Data
Description
The Clear-Site-Data header is used to instruct the browser to clear various types of data (e.g., cookies, local storage, caches) when certain conditions are met, such as after a user logs out. Without this header, an attacker could leverage residual data stored in the browser to maintain access, perform session hijacking, or gather sensitive information even after logout or critical state changes. Moreover, this lack of data clearing can aid malicious actors in persisting unauthorized sessions. In scenarios involving shared workstations or compromised endpoints, failing to clear site data may lead to data leakage, further increasing the attack surface for social engineering or session replays.
Remediation
Configure the Clear-Site-Data header to ensure that sensitive data is cleared after critical actions, such as user logout or session expiration. The header can be used to clear cookies, cache, storage, and more (e.g., "Clear-Site-Data: "cookies", "storage""). Depending on your application, you may opt to clear everything or only specific data types. If you are using reverse proxies or load balancers, ensure they pass this header and do not inadvertently remove or alter it. Consider implementing a Web Application Firewall (WAF) or additional firewall rules to detect and prevent abuse of leftover session data. Regularly review your logout and session management processes to ensure the header is present where required, thus minimizing the risk of session hijacking or unauthorized data access.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Datahttps://owasp.org/www-project-secure-headers/#clear-site-dataSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
5.9
5.9