Prevent local caching of images, for security - html

Is there a reliable way to stop all browsers from caching an image locally.
This is not (just) about the freshness of the image, but rather a concern about sensitive images being stored on the local drive.
Adding a random url param to the img url as suggested in similar questions does not help because that just ensures the next request is not the last request in cache (at least that is my understanding). What I really need is for the image to never be saved locally or at least not accessible outside the browser session if it is saved.

You need to send appropriate cache-control headers when serving up the response for image request. See this post for information on standard ways to do this in several programming languages.
How to control web page caching, across all browsers?
There is an alternate, and possibly more foolproof yet more complex, approach which would be to directly populate base 64 encoded images data directly into the img src attrbitute. So far as I know this would not be subject to caching, as there is not a separate HTTP request made to retrieve the image. Of course you still need to make sure the page is not cached, which gets back to the initial problem of serving up appropriate headers for primary HTML request.

Related

User submitted images with http:// urls are causing browsers to warn that the page is not secure

I'm working for a forum owner who allows users to submit hotlinked images from other domains in their posts. If they choose to use an http version of the URL, the otherwise clean page becomes insecure in the eyes of a browser, which some percentage of the time triggers a worried email from certain users.
I can't rewrite the urls, since I can't code against the assumption that future off site images will have https available. For the same reason, I can't use protocol relative src attributes. I'm unwilling to fetch and cache the images on our server just so that they can be served over https, because of the computational expense involved.
What can I do? Is there some piece of HTML syntax or some similar which I can use to tell the browser "This image doesn't matter, and doesn't constitute a security threat"?
This isn't possible. The image may not constitute a security threat but MITM attacks could still lead to images other than the intended one being loaded over the network, and who knows what an attacker may want to supplant that image with. My suggestion would be to pass the annoyance on to your users and tell them they can only use https URLs.

How to detect whether a browser is using cached version of the website?

I have the following problem - there is a clock on my webpage and I'm trying to fight the following thing - if a user goes to another page and then presses back, the clock is desynchronized (it should show the time of the server). I have the mechanisms to synchronise the clock but I'm thinking how should I detect whether to fire them up (they should be used as rarely as possible as they are expensive). So is there a widely used way to detect whether user is using cached version of the page? One way I thought about is looking at user local time and if suddenly there is a jump between previous time registered and time registered now I can fire the mechanism, but is there a simpler, generic way (for example - maybe browser sends some message to webpage to communicate that...)?
It sounds like you're allowing the client or server to do a full page cache, which you don't want due to parts of the page relying on the current server date time.
You certainly want to remove client caching from you response headers of the main response, especially if you have any sort of authentication that you need to check before rendering the page; you will want to make sure the client is still logged in for example.
You will also want to remove any full response caching from the server. You should investigate server partial or donut caching which allows you to cache certain parts of the response (so it doesn't need to work out static data that won't change; for example the navigation or footer) but will go off and get new results for the parts of your page that should change on each request.
The date time display and all other reliant parts of the response will be updated, but static parts will come from the server cache.
A good (and easier) example of this problem is where you have a page that displays a random image on reload. If the page / response is cached on the server, this image will remain the same for each request. The server (code) would need set up to cache everything about the page apart from the image which would be updated by the server. The server (code) will therefore only need to work out the new image that needs to be applied to the response as all other parts of the page come from the cache on the server.
It's also worth noting that server cache is global. If you cache a particular response and another user then requests the same page, they will get the same response as the other user. You may need to vary the cache by certain parameters depending on the needs of your system.

HTML 4.0 problems with hosting images on other domain

There is a company I'm working with that says we are slowing down their web hosting software by hosting images on a separate domain.
I've told them what we are doing should only speed them up because there will be less file requests to their server.
They replied by saying that because they use HTML 4.0, their server is having to make image requests on the server side before they send content to the user.
This makes no sense to me and am trying to disprove this claim.
Am I wrong and just crazy?
I've been looking for articles on this for hours and have had no luck.
Proof that their statement is false would be greatly appreciated, and an article on this topic would be even more helpful.
Your mindset is correct. There is nothing about HTML4 that validates their claim in the context you provided us.
When you make a GET request to the server, you pull an HTML page. The browser then parses the document and makes additional requests, as declared in the document. Images are no exception. When it reaches an image, it will make a GET request to retrieve it to the specified URI. If that URI is not on the same domain, it is not going to make a request to the same domain. The server does not make the GET request for you.
Now, they could be doing something special that would cause it to operate more slowly, but nothing about the HTML4 spec would lead to it.
Simply has nothing to do with HTML 4, because you could target every Image in a <img src="http://other-server.de/bla.png" /> Tag. So if you point these tags to your own hosting solution it doesn't slow down their software, except you point these tags to their servers, and the servers fetch the images from the remote server. The browser always load resources from the URL, you put in the tag.
Except they rewrite the HTML code automatically on the fly, so they point to their servers.
EDIT: Maybe the page loads slowly because maybe your Image-Hosting-Server is responding slowly?!

Can an external image URL be a security vulnerability? [duplicate]

What security holes can appear on my site by including external images via img tag and how to avoid them?
I'm currently only checking the extension and mime-type of image on submission (that can be changed after URL is submitted) and URL is sanitized before putting it in src attribute.
There's probably a differentiation to be made here between who is at risk.
If all you're doing is storing URLs, and not uploading images to your server, then your site is probably safe, and any potential risk is to your users who view your site.
In essence, you're putting your trust in the reliability of the browser manufacturers. Things might be fine, but if a security hole in some browser one of your users uses were to arise that involved incorrectly parsing images that contain malicious code, then it's your users who will end up paying for it (you might find GIFAR interesting).
It comes down to whether you trust the browser manufacturers to make secure software, and whether you trust your users to not upload URLs to images that might contain exploits for certain browsers. What might be secure now might not be secure come the next release.
The primary holes that can be exposed are those where corrupted images cause buffer overflows within the browser, allowing arbitrary code execution.
If you're only putting the images into an <img> tag there shoudln't be any vulnerabilities relating to sending alternative MIME types, but never underestimate the stupidity of some web browser developers...
Well, obviously, you're not doing any checks on the data, so the data can be anything (the mime-type reported by the remote server doesn't necessarily tell the truth). Plus, as you said, the data on the remote server can be changed since you're never looking at it after submission.
As such, if the link is put into lets say an <img src="..."/>, then any vulnerability that a browser might have in the image handling can be exploited.
"Sanitizing" the URL doesn't help with anything: somebody submitting a link that points to a 'bad' image isn't going to attack his own server.

Pros and Cons of a separate image server (e.g. images.mydomain.com)?

We have several images and PDF documents that are available via our website. These images and documents are stored in source control and are copied content on deployment. We are considering creating a separate image server to put our stock images and PDF docs on - thus significantly decreasing the bulk of our deployment package.
Does anyone have experience with this approach?
I am wondering about any "gotchas" - like XSS issues and/or browser issues delivering content from the alternate sub-domain?
Pro:
Many browsers will only allocate two sockets to downloading assets from a single host. So if index.html is downloaded from www.domain.com and it references 6 image files, 3 javascript files, and 3 CSS files (all on www.domain.com), the browser will download them 2 at a time, with the other blocking until a socket is free.
If you pull the 6 image files off onto a separate host, say images.domain.com, you get an extra two sockets dedicated to download your images. This parallelizes the asset download process so, in theory, your page could render twice as fast.
Con:
If you're using SSL, you would need to either get an additional single-host SSL certificate for images.domain.com or a wildcard SSL certificate for *.domain.com (matches any subdomain). Failure to do so will generate a warning in the browser saying the page contains mixed secure and insecure content.
You will also, with a different domain, not send the cookies data with every request. This can increase performance.
Another thing not yet mentioned is that you can use different web servers to serve different sorts of content. For example, your static content could be served via lighttpd or nginx while still serving your dynamic content off Apache.
Pros:
-load balancing
-isolating a different functionality
Cons:
-more work (when you create a page on the main site you would have to maintain the resources on the separate server)
Things like XSS is a problem of code not sanitizing input (or output for that matter). The only issue that could arise is if you have sub-domain specific cookies that are used for authentication.. but that's really a trivial fix.
If you're serving HTTPS and you serve an image from an HTTP domain then you'll get browser security alert warnings pop up when you use it.
So if you do HTTPS, you'll need to buy HTTPS for your image domain awell if you don't want to annoy the hell out of your users :)
There are other ways around this, but it's not particularly in the scope of this answer - it was just a warning!