1.3.5 Disable Caching
Encryption at the network level prevents network attacks, but TLS doesn’t provide end-to-end encryption. Each party involved in the communication has access to the plaintext. Caching is commonly used with HTTP to improve performance, so, for example, browsers may choose to store decrypted data in persistent storage. Intermediate proxy services (e.g., content delivery networks) may choose to not only cache sensitive data, but even share it with other users in some situations.
With the increase of cloud-based application delivery platforms and content delivery networks, it's never been more important to very carefully mark all sensitive content as private. The most secure option is to indicate that the content is private and that it must not be cached:
Cache-Control: private, no-storeWith this setting, neither intermediate devices nor browsers will be allowed to cache the served content.