Skip to main

Cache Control


Why use this header at all?

The Cache-Control header informs intermediate caches (HAProxy, Squid, or any ISP proxies, such as that used by old AOL browser) if it may store data your site sends, and for how long.


Consider the Impact of Compliance section below to see if this recommendation works for you.

Set this header with the no-store and no-cache attributes on pages and assets that are considered private.

Risk Mitigated

By following this recommendation, what risk is mitigated?

If your application deals with any protected data classes, such as PII, corporate finance or similar, or any private communications such as e-mail or messages, you should follow the recommendation.

Impact of Compliance

By using this header, you may expect these changes in your site's functionality

If you comply with this recommendation, you may notice an increase in bandwidth as cached resources are now fetched from your server. Optimize your caches to allow images, static files and documents, font, scripts and stylesheets to be cached if possible.

Next Steps

What you can do to get there

Review what pages contain sensitive data, and ensure the Cache-Control header is set with the no-store,no-cache value. Other pages, such as public marketing materials, images, and includes (CSS, JS) may benefit from caching and should be set accordingly.


What this header may look like when implemented securely

Cache-Control: no-cache,no-store

Read More!

Welcome! The library is new, and has some content to read over -- We'll be adding more soon!