Leak of Confidential Data in HTTP Proxies

An OAuth HTTP authentication scheme as discussed in RFC6749 is optional. However, RFC2616 relies on the Authorization and WWW-Authenticate headers to distinguish authenticated content so that it can be protected. Proxies and caches, in particular, may fail to adequately protect requests not using these headers. For example, private authenticated content may be stored in (and thus be retrievable from) publicly accessible caches.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.6.6)


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview