HTTPS doesn’t stop caching. It stops eavesdropping.
Your private API responses can still be cached by browsers, mobile apps, proxies, or CDNs.
If they contain tokens, PII, or account data — that’s ghost data left behind.
Rentgen checks authenticated endpoints and fails hard if caching isn’t explicitly disabled (no-store, private).
Not a warning. A real fail — because the impact is boring, common, and painful: data after logout, back button leaks, cached private responses.
This isn’t optimization.
It’s baseline security people forget because nothing breaks.
👉 Full story: https://rentgen.io/api-stories/cache-control-for-private-api.html
Top comments (0)