When should I use no-store?

Use no-store for any page or API response containing personal data, authentication tokens, financial information, or admin content. This includes login pages, account dashboards, API endpoints returning user-specific data, and admin panels.

What is the difference between no-store and no-cache?

no-store means never save a copy anywhere. no-cache means you may save a copy but must check with the server before using it. For security-sensitive content, use no-store — it is the only directive that guarantees no cached copy exists.

Does Cache-Control affect CDN caching?

Cache-Control: private tells CDNs not to cache the response, but some CDNs ignore this. Use no-store for maximum safety, and verify your CDN configuration separately. Cloudflare, for example, respects no-store but may cache responses with only private set.

Cache-Control for Security — Preventing Sensitive Data Leaks

Cache-Control is an HTTP header that controls how browsers and proxies cache responses. For security, sensitive pages (login, account, admin, API responses with personal data) must use Cache-Control: no-store to prevent cached copies from being accessed by other users on shared computers, proxy servers, or browser back/forward navigation.

Recommended Value

Cache-Control: no-store, no-cache, must-revalidate, private

What Each Directive Does

Directive	Purpose
`no-store`	Never store any copy of the response — the strongest cache prevention directive
`no-cache`	Cache may store but must revalidate with the server before every use
`private`	Only the browser may cache, not shared proxies or CDNs
`must-revalidate`	Stale cached copies must not be used without revalidation

What Happens Without This Header

Without proper Cache-Control, sensitive pages can be stored in browser cache, CDN edge caches, or corporate proxy servers. A subsequent user on a shared computer can press the Back button to view the previous user's account page. CDN cache poisoning can serve one user's data to another.

How to Implement

# Nginx — for sensitive pages
location /account {
    add_header Cache-Control "no-store, no-cache, must-revalidate, private" always;
    add_header Pragma "no-cache";
}

# Express.js — for API responses with user data
app.use('/api/user', (req, res, next) => {
  res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, private');
  res.setHeader('Pragma', 'no-cache');  // HTTP/1.0 backward compat
  next();
});

# Django middleware
@cache_control(no_store=True, no_cache=True, must_revalidate=True, private=True)
def account_view(request):
    ...

Testing and Report-Only

Cache-Control has no report-only mode. Test by inspecting response headers in DevTools and checking that sensitive pages return no-store. Also verify CDN behavior separately — some CDNs override Cache-Control headers.