Home / Tools / Add no-store cache headers to sensitive pages
Security Headers · Scan Check Guide

Add no-store cache headers to sensitive pages

20 min Impact: medium Effort: medium ✓ Scan-verified — no manual checkbox

Pages that show sensitive information — account details, order history, admin panels, search results with personal data — need a Cache-Control header telling browsers and shared caches (like a corporate proxy or CDN) not to store a copy, or the next person on that shared connection can see the previous user's page.

Login, account, and dashboard pages without Cache-Control: no-store can be saved by shared caches and browsers — meaning the next person on a shared or public computer might see the previous user's authenticated page.

How to fix it

  1. 1
    Identify pages that show account-specific or sensitive data
    Dashboards, account settings, checkout, admin areas, any page rendered differently per logged-in user.
  2. 2
    Add restrictive caching headers to those pages specifically
    Cache-Control: no-store, private on any page with sensitive or per-user content — this is different from your public marketing pages, which SHOULD cache normally for performance.
  3. 3
    Leave public, non-sensitive pages caching normally
    Don't apply no-store site-wide — that would hurt performance on pages that have no reason not to cache.

Common mistakes

How you'll know it's done

Pages with account-specific or sensitive content send Cache-Control: no-store, private; public pages continue caching normally.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →