- by x32x01 ||
Web Cache Deception is an attack where a cache system (CDN or reverse proxy) is tricked into storing private or dynamic content. Attackers do this by adding a fake static file extension (like .jpg, .css) to a dynamic URL.
Example:
How Attackers Exploit WCD
Real-World Example:
Cloudflare’s blog dynamically serves
Detecting Web Cache Deception
How to Defend Against WCD
This prevents browsers and caches from storing sensitive pages.
Key Takeaways
Example:
- Original private feed:
https://site.com/newsfeed - Attacker uses:
https://site.com/newsfeed/foo.jpg
The cache sees the .jpg and stores it. Later, anyone with that URL can access the private content.
How Attackers Exploit WCD 
- Flexible routing: Many frameworks treat
/newsfeed/foo.jpgthe same as/newsfeed. - Extension tricks caching: Fake static endings convince caches to store dynamic content.
- Content takeover: Attackers fetch the cached URL and access sensitive data.
Real-World Example:
Cloudflare’s blog dynamically serves
/newsfeed. Requesting /newsfeed/foo.jpg returns the same content, and the cache stores it because of the .jpg suffix. Attackers can then retrieve the cached page.Detecting Web Cache Deception 
- Monitor URLs with image/script extensions (
.jpg,.css,.js) that return user-specific pages. - Check cache headers: look for
Age:values or missingCache-Control: no-store. - Watch for unusual cache hits or repeated access to private URLs.
How to Defend Against WCD 
1. Strict Routing
Ensure your application does not treat/path/foo.extension as the same as /path. Use route anchors or reject unexpected suffixes.2. Correct Headers
For dynamic content, always send:Cache-Control: private, no-store, no-cacheThis prevents browsers and caches from storing sensitive pages.
3. Server/Proxy Rules
At CDN or proxy level:- Verify file extensions match content types.
- Use built-in safeguards like Cloudflare Cache Deception Armor.
4. Use "Cache Everything" With Caution
Features like Cloudflare’s “Cache Everything” may override safeguards. Only use when content is static and safe to cache.5. Vary & Cache Key Control
Include headers like User-Agent and cookies in the cache key or block them entirely. This prevents cross-user cache leaks.Summary Table
| Step | What Happens | Defense |
|---|---|---|
/newsfeed/foo.jpg returns private content | Reject invalid suffixes | |
Cache sees .jpg and stores it | Add Cache-Control: private/no-store | |
| Attacker fetches cached page | Use proxy safeguards, match extensions & types |
Key Takeaways 
- WCD tricks caches into exposing private data with fake file endings.
- Attackers can force sensitive content into public caches.
- Prevention requires strict routing, correct headers, CDN safeguards, and careful caching policies.
- Always test caching configurations and monitor for unusual URL patterns.
Last edited: