Some vulnerability reporters notice that they can access content cached in their browser even after they've logged out, for example by using the browser's "Back" button. They will often ask us to modify the web application to always use the following HTTP headers, citing OWASP guidelines:

Cache-Control: no-cache, no-store
Expires: 0
Pragma: no-cache

We generally do not consider this to be a well-defined security risk. In order to access the cached pages, an attacker would need physical access to the targeted login session, or the ability to execute arbitrary code with the current user's privileges on the system.

Conclusion

If you report an issue related to cached content of the type described above, we won't file a bug based on your report.

Why? We believe that attackers with the degree of access described above are firmly outside the security model of contemporary browsers and operating systems, and will be able to extract comparable information from the records persisted in system memory or in the filesystem using off-the-shelf tools. They may also simply modify the system to place a keylogger or other malicious software that collects passwords or cookies, or injects malicious scripts onto every visited page.

In addition, the suggested HTTP headers do not prevent many other forms of content caching: for example, they do not invalidate any other tabs or windows that you may have open at the time, they do not affect data stored in localStorage or kept within web workers etc.