1.3.5 Disable Caching
Encryption at the network level prevents both passive and active network attacks, but TLS doesn’t actually provide full end-to-end encryption. Both sides involved in the communication have access to the plaintext. Caching is commonly used with HTTP to improve performance, so, for example, browsers may choose to store plaintext data in persistent storage. Intermediate proxy services (e.g., content delivery networks) may choose to not only cache sensitive data, but even share it with other users in some situations when incorrect configuration is involved.
With the increase of cloud-based application delivery platforms and content delivery networks, it's never been more important to very carefully mark all sensitive content as private. The most secure option is to indicate that the content is private and that it must not be cached:
Cache-Control: private, no-storeWith this setting, neither intermediate devices nor browsers will be allowed to cache the served content. For less important information, allowing browser caching may provide sufficient security.