{ "slug": "cache_poisoning", "term": "Cache Poisoning", "category": "security", "difficulty": "advanced", "short": "An attacker manipulates a cached response so that subsequent users receive malicious content served from the cache.", "long": "Web cache poisoning abuses the gap between what a caching layer uses as a cache key (typically URL + Host) and what the backend actually processes (including unkeyed headers like X-Forwarded-Host). By injecting a malicious value into an unkeyed header that the application reflects in its response, an attacker can poison the cached copy served to all subsequent visitors. Mitigations include keying caches on all relevant headers, disabling reflection of arbitrary headers, and using Vary headers appropriately.", "aliases": [ "web cache poisoning", "CDN poisoning" ], "tags": [ "caching", "injection", "web-security" ], "misconception": "Cache poisoning only affects public CDN caches. Server-side application caches and reverse proxies can also be poisoned if unkeyed headers influence the cached response.", "why_it_matters": "A poisoned cache entry serves malicious content to every user who hits that cache key — a single request from an attacker can affect thousands of victims.", "common_mistakes": [ "Reflecting unkeyed request headers (like X-Forwarded-Host or X-Original-URL) into cached responses.", "Including user-controlled query parameters in responses that are served from cache to other users.", "Not separating cached static resources from dynamic personalised responses.", "Trusting the Host header for generating absolute URLs in cached pages." ], "when_to_use": [], "avoid_when": [], "related": [ "xss", "host_header_injection", "open_redirect" ], "prerequisites": [ "caching", "http_caching", "web_cache_deception" ], "refs": [ "https://portswigger.net/web-security/web-cache-poisoning", "https://owasp.org/www-community/attacks/Cache_Poisoning" ], "bad_code": "// Caching a response that includes unvalidated Host header\n\\$cacheKey = 'page:' . \\$_SERVER['HTTP_HOST'] . \\$_SERVER['REQUEST_URI'];\n\\$cached = \\$cache->get(\\$cacheKey);\nif (!\\$cached) {\n \\$html = render(['canonical' => 'https://' . \\$_SERVER['HTTP_HOST'] . '/page']);\n \\$cache->set(\\$cacheKey, \\$html);\n}", "good_code": "// Use a fixed canonical hostname — never trust the Host header for cache keys\n\\$canonicalHost = config('app.url'); // 'https://yourapp.com'\n\\$cacheKey = 'page:' . md5(\\$canonicalHost . \\$_SERVER['REQUEST_URI']);\n\n// In nginx — only forward known Host values to PHP:\n// if (\\$host !~* ^(yourapp\\.com|www\\.yourapp\\.com)\\$) { return 444; }", "quick_fix": "Never cache responses based on unvalidated request headers; vary cache keys on only the headers you explicitly support; set Cache-Control: no-store on sensitive pages", "severity": "high", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/cache_poisoning", "html_url": "https://codeclaritylab.com/glossary/cache_poisoning", "json_url": "https://codeclaritylab.com/glossary/cache_poisoning.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Cache Poisoning](https://codeclaritylab.com/glossary/cache_poisoning) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/cache_poisoning" } } } }