What's the issue?
In 4.4.6 Testing for Browser Cache Weaknesses in the paragraph Browser History it says:
"The Back button can be stopped from showing sensitive data. This can be done by:

Delivering the page over HTTPS.
Setting Cache-Control: must-revalidate

"
In a recent penetration test I had the issue that by using the back button after logging out I could retrieve the information previously shown again. I then modified the headers in the response to see if the advise from above works. At least in Firefox it did not, for other browsers I did not test it. After setting Cache-Control: must-revalidate the information could still be retrieved in the described way.

How do we solve it?
According to https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers the correct setting for the headers are:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

At least in my tests I could confirm that these headers resolved the issue.

Would you like to be assigned to this issue?
Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

• Assign me, please!