I'm building a web app, I have a valid SSL cert and I'm settings my headers to no-store on my web pages.
But, my web app's sensitive https data is visable through visiting "about:cache" and clicking to review the device memory. Even after the web application is logged out and the web app's tab is closed (i.e. other tabs in Firefox remain open.) Any ideas for what I might be doing wrong? Thank you -SR (P.S. I've also tried various header combinations of no-cache, no- store, must-revalidate, private, max-stale=0, post-check=0 & pre- check=0) (P.S. Forum admins sorry for the double post, I accidentally clicked the URL to cancel my previous post that went into the review queue.) _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
