Re-examine Cache-control Directives

The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.

Improper cache control directives allow sensitive data to be stored in browser caches, proxy caches, or content delivery networks. Attackers with access to shared computers, network infrastructure, or browser storage can retrieve cached sensitive information such as authentication tokens, personal data, or financial records. This is particularly dangerous in shared or public computing environments where subsequent users may access cached content from previous sessions.

For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".