Why use this header at all?
The Cache-Control header informs intermediate caches (HAProxy, Squid, or any ISP proxies, such as that used by old AOL browser) if it may store data your site sends, and for how long.
Consider the Impact of Compliance section below to see if this recommendation works for you.
Set this header with the
no-cache attributes on pages and assets that are considered private.
By following this recommendation, what risk is mitigated?
If your application deals with any protected data classes, such as PII, corporate finance or similar, or any private communications such as e-mail or messages, you should follow the recommendation.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
If you comply with this recommendation, you may notice an increase in bandwidth as cached resources are now fetched from your server. Optimize your caches to allow images, static files and documents, font, scripts and stylesheets to be cached if possible.
What you can do to get there
Review what pages contain sensitive data, and ensure the
Cache-Control header is set with the
no-store,no-cache value. Other pages, such as public marketing materials, images, and includes (CSS, JS) may benefit from caching and should be set accordingly.
What this header may look like when implemented securely
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)