Skip to main content

SecureAuth IdP Caching Best Practices

Introduction

This document discusses best practices for configuring the Internet Information Services (IIS) caching on a SecureAuth IdP appliance.

Applies to

SecureAuth IdP Version

OS Version

8.x, 9.x

  • Windows Server 2012

  • Windows Server 2012 R2

Discussion

Security Best Practices

To ensure sensitive information is not cached on a user workstation or mobile device, SecureAuth recommends setting the IIS cache-control directive to no-store . With the no-store setting a cache will not retain records about a client request or server response. Follow the directions below to enable the no-store directive:

1. Click Start and then Administrative Tools

2. Double-click Internet Information Services (IIS) Manager

3. On the Connections pane, locate the Default Web Site and click it

4. Double-click the HTTP Response Headers icon

5. In the Actions pane, click the Add... link

6. In the Add Custom HTTP Response Header dialog box, enter the information below

7. Set the Name field to cache-control and the Value field to no-store

Performance Best Practices

When an appliance is following security best practices for caching, it is instructing the browser to not store any information from a SecureAuth IdP appliance. This is a secure by default configuration which ensures the highest level of security for the product. It is possible, however, to configure the appliance to be secure and leverage the performance enhancements of caching. There are three directories in each realm where caching can be safely enabled without the worry of confidential information being stored and potentially exploited. The directories are:

  • D:\SecureAuth\<realm>\assets
  • D:\SecureAuth\<realm>\Images
  • D:\SecureAuth\<realm>\Themes

These directories contain the elements necessary to compose the page (e.g. fonts, style sheet, etc.) which, when retrieved from the browser cache, reduce the time needed to render. These components are static and do not contain confidential information, so their presence in the user cache does not constitute a security issue. This configuration can help speed the presentations of SecureAuth IdP realms to users in all configurations. The most noticeable improvements will be seen on realms configured as a Secure Portal. To implement this configuration follow the instructions below:

1. Click Start and then Administrative Tools

2. Double-click Internet Information Services (IIS) Manager

3. On the Connections pane, locate the Default Web Site and expand it

4. Locate the realm to modify, expand it, and select the subfolder to configure (e.g. assets, images or themes)

5. Double-click the HTTP Response Headers icon

6. Click the cache-control entry then, in the Actions pane, click the Remove link

7. In the Actions pane, click the Set Common Headers link

8. In the Set Common HTTP Response Headers dialog box, select the Expire Web Content checkbox and the After: radio button

9. Set the content to expire after 2 days

10. Click the OK button to confirm all changes

In this section: