cache-control: no store to prevent page review

In my article on Preventing Page Review After Logout With Forms Authentication, I talked about several HTTP headers that can be used to direct browsers not to cache pages locally.  In one comment, a reader said they had used the article’s code, but Firefox was still caching pages.  Another reader left a comment about using the “cache-control: no-store” header to prevent Firefox from caching pages.  If you see that Firefox is caching secured pages, try adding this header to your pages.  If possible, add it to your master page or page template.

ASP.NET, you can set this header by using the HttpCachePolicy.SetNoStore method.  Put this in your page_load at the latest.  You can also set this in your page’s HEAD section  by adding the following line of code:


In the IIS control panel, you can set headers to be automatically added to every response.  This is discussed briefly at, but if you’re in a shared host environment, you probably don’t have access to the IIS control panel.

The “Cache-Control: No Store” header can cause problems with PDF files in IE 6.  Microsoft has a KB article on this at;en-us;812935.  File downloads via SSL may also beimpacted if you use this header; see for more details.  This second article involves a registry edit.

Also, remember that browsers need to cache image files if you’re using image rollovers, so be careful where you use any of these headers.  You might mess up your menu.