Home/ Glossary/ Clear-Site-Data Header

Clear-Site-Data Header (Clear-Site-Data)

Security Glossary - Security Headers

Definition: The Clear-Site-Data header instructs the browser to clear stored data associated with the requesting site. It can clear cookies, storage (localStorage, sessionStorage, IndexedDB), cache, or all of the above. It is typically used on logout endpoints to thoroughly clean up sensitive data.

Why Clear-Site-Data Matters

When a user logs out of your application, you should clear all client-side state to prevent the next user on a shared device from accessing the previous user's session. Server-side session invalidation alone is not sufficient because cached pages, stored tokens, and service worker caches may still contain sensitive data.

Clear-Site-Data: "cookies", "storage", "cache" on your logout response thoroughly cleans up all client-side state. This is especially important for applications handling sensitive data (banking, healthcare, corporate) where session leakage between users on shared devices is a real risk.

The header is also useful during security incident response. If you detect that a user's session has been compromised, sending Clear-Site-Data on the next response clears any attacker-planted data (service workers, cached content) from the legitimate user's browser.

How to Verify

A security audit may check for Clear-Site-Data usage. Verify it is sent on your logout endpoint. The recommended value is "cookies", "storage", "cache" to clear all client-side data types.

Run a Security Audit

Frequently Asked Questions

When should I use Clear-Site-Data?
On logout endpoints, account deletion flows, and password change responses. It is overkill for regular page loads but essential for security-sensitive state transitions where you want to clear all client-side evidence of the previous session.
Does Clear-Site-Data work in all browsers?
Browser support is growing but not universal. Chrome and Firefox support it. Safari has partial support. For full coverage, also clear cookies server-side (by setting them to expired) and include cache-busting headers alongside Clear-Site-Data.

Related Terms

Cookie Security Flags Security Headers Overview Cache-Control for Security HTTP Strict Transport Security Content Security Policy
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.