security
How to fix: Cache-Control on the homepage
OWASP A04
Why this matters
Cache-Control: public, max-age=… on a homepage that carries personalised content (logged-in account links, user-specific data) lets shared caches (CDNs, corporate proxies) serve one user's page to the next. Either make the homepage genuinely public + non-personalised, or set Cache-Control: private / no-store.
Background
An explicit Cache-Control header on the homepage stops browsers + shared caches from guessing how long to keep the response. Without it, a CDN or browser may serve stale content after a deploy — including stale auth-state if the homepage personalises anything.
References
RFC 9111 (HTTP Caching) · OWASP A04 (Insecure Design)
How to fix
Code snippet for each stack we cover. Pick the one matching your server / framework.
nginx
location = / { add_header Cache-Control "public, max-age=300, must-revalidate" always; }
apache
<LocationMatch "^/$"> Header set Cache-Control "public, max-age=300, must-revalidate" </LocationMatch>
cloudflare
Transform Rules → Modify Response Header on `http.request.uri.path eq "/"` → set Cache-Control.
wordpress
Use a cache plugin (WP Rocket / W3 Total Cache). Set short max-age on the homepage so logged-in personalisation doesn't go stale.
flask
@app.after_request: if request.path == '/': resp.headers['Cache-Control'] = 'public, max-age=300, must-revalidate'
express
app.get('/', (req, res, next) => { res.set('Cache-Control', 'public, max-age=300'); next(); })
rails
before_action :set_cache_headers, only: [:index]
Verify it's working
curl -sI https://your-site/ | grep -i cache-control — should show an explicit value.
Want to know if your site has this issue?
Run a free 53-check audit — security, GDPR, NIS2, and technical SEO.
Audit my site →