Contact us:

HTTP Security Headers: Cache-Control

Author: HollyGraceful    Published: 21 February 2022

The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.

Note: the Cache-Control header option no-cache does instruct the browser not to cache the response, but instead instructs it that the cache must be revalidated before reuse, to prevent the browser from storing the response in the cache the no-store option should be used.

It is recommended that where confidential information is being transmitted, Cache-Control is enabled with the no-store option, for example:

Cache-Control: no-cache, no-store