Agent Guides › Web Agent Guide › Protecting Web Applications › Use Web Agents with Proxy Servers › Configure Agents that Sit behind Proxy Servers › Customize the Cache-Control and ExpireForProxy Header Settings

Customize the Cache-Control and ExpireForProxy Header Settings

You can customize the cache-control and ExpireForProxy headers to secure Web resources without affecting in-place activation of application files (.doc, .pdf, and so on). You can set specific HTTP headers for the following types of content independently to control how that content is cached by a web browser or proxy server:

• Auto-Authorized
• Unprotected
• Protected

Important! We recommend using the default settings unless you are familiar with the ramifications of changing these settings in accordance with RFC 2068. If you plan to change the default settings, note that the SiteMinder session cookie is updated on access of an unprotected page once a user has a session in order to track idle timeout. Therefore, unprotected pages should not be cached on a proxy that caches HTTP headers.

The following characteristics apply to setting headers to prevent caching by proxies:

• All redirects set a Cache-Control: no-cache header, regardless of agent activity.
• The web server sends the appropriate headers back to the proxy/client based on the HTTP protocol used (1.0 or 1.1 and higher).

All parameters should be configured using multi-value strings to suit the use of multiple headers, such as cache-control: private and cache-control: max-age=60.

The following is the new configuration:

1. ProxyHeadersDefaultTime - defaults to 60 seconds
2. ProxyHeadersTimeoutPercentage – defaults to 10 percent
3. The following cache-control headers are available:

   ProxyHeadersAutoAuth

   Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the auto-authorized resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Example (suggested setting): "Cache-control: max-age=60"

   ProxyHeadersAutoAuth10

   Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the auto-authorized resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Example (suggested setting): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

   ProxyHeadersProtected

   Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the protected resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Cache-Control: no-cache

   Example (suggested settings): "Cache-Control: private"

   ProxyHeadersProtected="Cache-Control: max-age=60"

   ProxyHeadersProtected10

   Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the protected resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Cache-Control: no-cache

   Example (suggested settings): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

   ProxyHeadersUnprotected

   Specifies the value of an HTTP 1.1 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the unprotected resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Cache-Control: no-cache

   Example (suggested setting): ProxyHeadersUnprotected="Cache-Control: private"

   ProxyHeadersUnprotected="Cache-Control: max-age=60"

   ProxyHeadersUnprotected10

   Specifies the value of an HTTP 1.0 header that the Web Agent inserts into an HTTP response to a client when the ExpireForProxy parameter in the Web Agent Configuration is set to yes. The value of this header determines if or for how long the unprotected resource is cached.

   Default: Expires: Thu, 01 Dec 1994 16:00:00 GMT

   Cache-Control: no-cache

   Example (suggested setting): "Expires: Thu, 01 Dec 1994 16:00:00 GMT"

When configuring multiple headers, (for example, the cache-control headers in the suggested setting for unprotected HTTP/1.1 content), note the following:

• You must have multiple occurrences of the configuration parameter and you cannot separate these with a comma (,) or the plus-sign (+).
• As the values for these configuration parameters are HTTP response headers, they must comply with RFC 2616 (for HTTP/1.1), RFC 1945 (for HTTP/1.0) and RFC 822. Both HTTP/1.1 and HTTP/1.0 specify the format for an HTTP Header as that of an RFC 822 message, namely "Name: Value" (Name, followed by a colon, white space and then a value).

If you do not configure the Web Agent to set the appropriate cache expiration headers when a user accesses unprotected resources, then by default, the Web Agent will not set these headers, thereby allowing a web browser or proxy server to cache an SMSESSION cookie. This cached cookie can be re-used by the web browser or proxy-server after the user has initiated a different session (and therefore a different user context), causing an unauthorized impersonation.

More information:

Configure Agents that Sit behind Proxy Servers