HTTP Security Headers: Cache-Control
Author: HollyGraceful Published: 21 February 2022 Last Updated: 03 July 2023
The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.
Note: the Cache-Control header option no-cache does not instruct the browser not to cache the response, but instead instructs it that the cache must be revalidated before reuse, to prevent the browser from storing the response in the cache the no-store option should be used.
It is recommended that where confidential information is being transmitted, Cache-Control is enabled with the no-store option, for example:
Cache-Control: no-cache, no-store