---
title: Set Anti-cache Headers
impact: MEDIUM
impactDescription: prevents sensitive data from being cached in shared proxies or local browser caches
tags: headers, cache, sensitive-data, security, kotlin
---

## Set Anti-cache Headers

Sensitive information (like banking details, health records, or private profile info) cached in a browser or by a proxy can be retrieved by an attacker with access to the same machine or network. You must tell the browser strictly not to store this data.

**Incorrect (no cache control for sensitive data):**

```kotlin
// Data returned without instructions to the browser
@GetMapping("/api/bank-details")
fun getDetails(): List<Transaction> {
    return transactionService.findAll() // Might be cached by browser or CDN
}
```

**Correct (explicit anti-cache headers):**

```kotlin
// Spring Boot (Manual in Controller)
@GetMapping("/api/bank-details")
fun getDetails(response: HttpServletResponse): List<Transaction> {
    response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, private")
    response.setHeader("Pragma", "no-cache")
    response.setHeader("Expires", "0")
    return transactionService.findAll()
}

// Ktor: Using CachingHeaders plugin
install(CachingHeaders) {
    options { _, outgoingContent ->
        if (outgoingContent.contentType?.withoutParameters() == ContentType.Application.Json) {
            CachingOptions(CacheControl.NoStore(CacheControl.Visibility.Private))
        } else null
    }
}

// Global Spring Security configuration (Applied by default)
// http.headers().cacheControl().disable() // DO NOT DO THIS!
```

**Recommended Headers:**
- `Cache-Control: no-store, no-cache, must-revalidate, private`
- `Pragma: no-cache` (For compatibility with old HTTP/1.0 clients)
- `Expires: 0` (Marking the content as immediately expired)

**Critical areas to protect:**
- User account and profile pages.
- Authentication tokens or state.
- Personalized dashboards or reports.
- Administrative consoles.

**Tools:** OWASP ZAP, Browser DevTools (Network tab), Qualys SSL Labs
