Add Clear-Site-Data header and client-side storage clearing on logout (ASVS 14.3.1) #55
Description
Description
ASVS 14.3.1 requires that authenticated data is cleared from client storage (cookies, cache, localStorage, sessionStorage) when a session terminates, using the Clear-Site-Data HTTP response header and client-side clearing mechanisms.
Currently, the logout endpoint in src/asfquart/generics.py only clears the server-side session. It does not:
- Send a
Clear-Site-Dataresponse header to instruct the browser to purge cookies, cache, and storage. - Include any client-side JavaScript to clear
localStorage,sessionStorage, or DOM-stored data. - Provide an offline-capable cleanup mechanism (required by ASVS 14.3.1 when the server connection is unavailable).
Affected Files
| File | Issue |
|---|---|
src/asfquart/generics.py (lines 38–48) |
Logout handler — no Clear-Site-Data header |
src/asfquart/session.py (clear()) |
Only removes server-side session data |
| Application-wide | No JavaScript session-cleanup module exists |
Current Code
# src/asfquart/generics.py, lines 38-48
elif logout_uri or quart.request.query_string == b"logout":
asfquart.session.clear() # Only clears server-side session
if logout_uri:
return quart.redirect(logout_uri) # No Clear-Site-Data header
return quart.Response(
status=200,
response=f"Client session removed, goodbye!\n",
) # No Clear-Site-Data headerRecommended Remediation
Server-side — add Clear-Site-Data header:
elif logout_uri or quart.request.query_string == b"logout":
asfquart.session.clear()
clear_site_data_header = '"cache", "cookies", "storage"'
if logout_uri:
response = quart.redirect(logout_uri)
response.headers['Clear-Site-Data'] = clear_site_data_header
return response
response = quart.Response(status=200, response="Client session removed, goodbye!\n")
response.headers['Clear-Site-Data'] = clear_site_data_header
return responseClient-side — add a session-cleanup script (include in base template):
(function() {
'use strict';
function clearAuthenticatedData() {
localStorage.clear();
sessionStorage.clear();
document.querySelectorAll('[data-sensitive]').forEach(el => {
el.textContent = '';
});
}
// Monitor for 401 responses indicating session termination
const originalFetch = window.fetch;
window.fetch = async (...args) => {
const response = await originalFetch(...args);
if (response.status === 401) {
clearAuthenticatedData();
}
return response;
};
window.clearAuthenticatedData = clearAuthenticatedData;
})();Reference
- ASVS: 14.3.1
- CWE: CWE-525 (Use of Web Browser Cache Containing Sensitive Information), CWE-922 (Insecure Storage of Sensitive Information)
- Severity: Medium