Home/ Glossary/ Cache-Control for Security

Cache-Control for Security (Cache-Control Security)

Security Glossary - Security Headers

Definition: Cache-Control headers can be used for security by preventing sensitive pages from being stored in browser caches, proxy caches, or CDN caches. Setting Cache-Control: no-store on responses containing personal data prevents the data from being accessible to the next user on a shared device or from lingering in intermediate caches.

Why You Should Care About Cache-Control Security

By default, browsers and proxies may cache HTTP responses to improve performance. For pages containing sensitive data (account settings, financial information, personal details), cached copies create a security risk. On shared computers, the next user could use the browser's back button to view cached pages from the previous user's session.

For authenticated pages and API responses containing personal data, set Cache-Control: no-store to prevent any caching. The no-store directive is stronger than no-cache (which allows caching but requires revalidation). For pages behind authentication, no-store is the appropriate choice.

Static assets like images, CSS, and JavaScript can safely use long cache times (max-age=31536000, immutable for versioned assets). The key is distinguishing between public assets (cacheable) and personal data responses (not cacheable). Getting this wrong in either direction hurts either security or performance.

How to Verify

A security audit checks Cache-Control headers on your responses. Verify that authenticated API responses and pages with personal data use no-store. Verify that public static assets use appropriate caching for performance.

Run a Security Audit

Questions and Answers

What is the difference between no-cache and no-store?
no-cache allows the browser to store the response but requires revalidation with the server before using it. no-store prevents the browser from storing the response at all. For sensitive data, use no-store. For content that changes frequently but is not sensitive, no-cache is appropriate.
Should I set no-store on all pages?
No. Only set no-store on responses containing sensitive or personal data. Public pages and static assets should use appropriate caching for performance. Over-using no-store degrades user experience by forcing every resource to be re-downloaded.

Learn More

Security Headers Overview Clear-Site-Data Header HTTP Strict Transport Security Cookie Security Flags Hypertext Transfer Protocol Secure
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.