[wp-trac] [WordPress Trac] #61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior

WordPress Trac noreply at wordpress.org
Sun Jun 29 23:01:23 UTC 2025 

#61942: Add "no-store" to Cache-Control header to prevent unexpected cache behavior
--------------------------------------+--------------------------
 Reporter:  kkmuffme                  |       Owner:  johnbillion
     Type:  defect (bug)              |      Status:  closed
 Priority:  normal                    |   Milestone:  6.8
Component:  Security                  |     Version:
 Severity:  normal                    |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests  |     Focuses:
--------------------------------------+--------------------------

Comment (by westonruter):

 @devansh2002 @johnbillion Is `no-store` really necessary to have been
 added here? This directive [https://web.dev/articles/bfcache#minimize-no-
 store breaks]  ([https://developer.chrome.com/docs/web-platform/bfcache-
 ccns generally]) the browser's bfcache, greatly slowing down site
 back/forward navigations. The `private` directive should suffice, as noted
 in the linked [https://developers.cloudflare.com/cache/concepts/cache-
 control/#:~:text=private%20%E2%80%94%20Indicates%20the%20response%20message%20is%20intended%20for%20a%20single%20user%2C%20such%20as%20a%20browser%20cache%2C%20and%20must%20not%20be%20stored%20by%20a%20shared%20cache%20like%20Cloudflare%20or%20a%20corporate%20proxy.
 Cloudflare docs] above:

 > `private` — Indicates the response message is intended for a single
 user, such as a browser cache, and must not be stored by a shared cache
 like Cloudflare or a corporate proxy.

 When a back/forward navigation is restored without bfcache, the state of
 the page will usually reset (aside from static non-JS form fields),
 potentially resulting in data loss. I've been working on a
 [https://github.com/woocommerce/woocommerce/pull/58445 PR] for WooCommerce
 that enabled bfcache for the Cart, Checkout, and Account pages and it can
 have a
 [https://github.com/woocommerce/woocommerce/pull/58445#issuecomment-3014404754
 dramatic improvement] to the user experience.

 The remaining concern which originally introduced `no-store` and `private`
 in #21938 (via [55968]) was a privacy fix to prevent accessing
 authenticated pages from history after the user is logged out. I think
 there is a better way to handle this via a `pageshow` event handler
 client-side which I'm currently working on prototyping and writing up a
 proposal. This would entail the removal of `no-store` from being sent in
 the `Cache-Control` header.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61942#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list