Cache Control
Purpose
Why use this header at all?
The Cache-Control header informs intermediate caches (HAProxy, Squid, or any ISP proxies, such as that used by old AOL browser) if it may store data your site sends, and for how long.
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
Set this header with the no-store and no-cache attributes on pages and assets that are considered private.
Risk Mitigated
By following this recommendation, what risk is mitigated?
If your application deals with any protected data classes, such as PII, corporate finance or similar, or any private communications such as e-mail or messages, you should follow the recommendation.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
If you comply with this recommendation, you may notice an increase in bandwidth as cached resources are now fetched from your server. Optimize your caches to allow images, static files and documents, font, scripts and stylesheets to be cached if possible.
Next Steps
What you can do to get there
Review what pages contain sensitive data, and ensure the Cache-Control header is set with the no-store,no-cache value. Other pages, such as public marketing materials, images, and includes (CSS, JS) may benefit from caching and should be set accordingly.
Example
What this header may look like when implemented securely
Cache-Control: no-cache,no-store
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection