Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Proper Cache-Control Implementation

Ingrid

This documentation pertains to the Web Application Headers (WAH) risk vector, which was replaced with Web Application Security (WAS) in the RAU25 and will be deprecated. WAH is now a non-graded risk vector and is assigned with an N/A grade.

Cache-Control sets conditions for storing data in the browser cache.

Optional for: HTTP 1.0

Required for: HTTP 1.1

The cache-control header is defined in RFC-7234. For cache-response verification, a no-cache directive is sufficient for a good response.

See the Google: Best Practice Guide for more information about this header.

See how Web Application Headers is assessed and finding messages.

  • March 26, 2025: Optional for HTTP 1.0.
  • September 12, 2023: Separated finding messages.
  • April 20, 2021: Updated “Insecure configuration” remediation instructions.
Was this article helpful?
8 out of 43 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.