HttpFixer โ†’ Error โ†’ Authenticated Response Cached
Security

Security: Authenticated Response Cached

Last updated: April 2026

An authenticated API response is being cached by a CDN or shared cache. This means one user's private data could be served to another user. Add correct Cache-Control headers to prevent this.

Audit your cache headers โ†’

Fix โ€” add Cache-Control: no-store to authenticated responses

# Nginx
location /api/ {
    add_header Cache-Control "no-store" always;
    proxy_pass http://backend;
}
# Express
app.use('/api', (req, res, next) => {
  if (req.headers.authorization) {
    res.setHeader('Cache-Control', 'no-store');
  }
  next();
});
# vercel.json
{ "source": "/api/(.*)", "headers": [
  { "key": "Cache-Control", "value": "no-store" }
]}

Cache-Control values for authenticated responses

Cache-Control: no-store          # do not cache anywhere (safest)
Cache-Control: private, no-cache # browser can cache, CDN cannot
Cache-Control: private, max-age=0 # browser cache, must revalidate
โš  private alone does not prevent CDN caching if the CDN is misconfigured. Use no-store for sensitive data.
Related: EdgeFix โ€” audit cache headers Cache-Control explained Cache-Control on Nginx