What are the drawbacks of using cache-control: no-store?

Question

We want to "prevent the inadvertent release or retention of sensitive information (for example, on backup tapes :) )" and plan to use the HTTP header Cache-control: no-store. What are the down-sides of doing so? From the spec, it appears caching will continue to operate - it just cannot use non-volatile storage. In order to choose which responses to specify no-store on, we have some measure of "sensitivity." What is the counterbalancing measure we we should use - in other words, why not mark all pages no-store?

Answer 1

By using the store, the client has a local cache that they can use. This cache gives them a performance boost and decreases the load on your own server.

In your case, I think it makes sense to have sensitive pages sent with no caching.

I believe another technical problem with no-store (and this is more of a weird side effect) is that older versions of IE have problems with the Content-Disposition header with caching turned off. The behavior is such that the download prompt will indefinitely have 0% progress.

One misconception about no-caching policies is that the browser will actually honor it and not save it to disk. This is not true - many modern browsers actually cache all responses to disk (See this SO). However, this cache is encrypted in those cases.

Overall, I think its safe to do so. Make sure you're not relying on this mechanism as @Robert Harvy says, once you send it over, you're at the mercy of the browser of how it wants to save it.